Network layer performance and security provided by a distributed cloud computing network

ABSTRACT

A GRE tunnel is configured between multiple computing devices of a distributed cloud computing network and a single origin router of the origin network. The GRE tunnel has a first GRE endpoint that has an IP address that is shared among the computing devices of the distribute cloud computing network and a second GRE endpoint that has a publicly routable IP address of the origin router. A first computing device receives an IP packet from a client that is destined to an origin server. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate a GRE encapsulated packet whose source address is the first GRE endpoint and the destination address is the second GRE endpoint. The GRE encapsulated packet is transmitted over the GRE tunnel to the single origin router.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No.62/886,314, filed Aug. 13, 2019, which is hereby incorporated byreference.

FIELD

Embodiments of the invention relate to the field of networking; and morespecifically, to network layer performance and security provided by adistributed cloud computing network.

BACKGROUND

On-premises networks such as enterprise networks are conventionallyexpensive and require several pieces of hardware. To protect against adistributed denial-of-service (DDoS) attack, many enterprises pickbetween performance and security when deploying IP network services thatdirect traffic to a small number of “scrubbing centers” or rely onon-premises hardware. On-premises networks typically involve purchasing,operating, and maintaining network function specific hardware equipmentsuch as hardware load balancers, firewalls, DDoS mitigation equipment,WAN optimization, and other hardware. Each hardware component costs timeand money to maintain and makes the network harder to manage. Thus,conventional network services are expensive; they require high capitaloutlays, investment in staff to operate, and ongoing maintenance to stayfunctional.

Generic Routing Encapsulation (GRE) is a type of tunneling protocolcommonly used to deliver traffic across intermediary networks. Forexample, consider a corporation that has users and servers in a mainoffice and users in a remote office. The servers have IP addresses thatusers in the main office can access because they are on the samenetwork. However, users in the remote office are on a different networkthat is separated from the main office by the internet. A GRE tunnel canbe established between the router in the main office and the router inthe remote office such that the users in the remote office can accessthe servers in the main office by their local IP addresses. Effectively,the remote office router is configured such that when it receives IPpackets from users in the remote office that are destined to IPaddresses of the main office, the router wraps those IP packets inencapsulating IP headers plus a GRE header, where the encapsulatedpacket's destination IP address is the IP address of the router of themain office. When the router of the main office receives theencapsulated packet, it strips off the encapsulating IP header and GREheader and re-issues the original IP packet back into its local network.A similar procedure is followed for traffic from the main office to theremote office.

GRE is typically a stateless protocol. Any IP packet can be encapsulatedindependently, and any encapsulated packet can be decapsulatedindependently. There is an extension to GRE which adds sequencingsimilar to TCP sequence/acknowledgement numbers; in this extensionconfiguration, GRE is not stateless. GRE is sometimes referred to as a“point-to-point” protocol because the configuration of each tunnelendpoint is typically done on a single device, often a router.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention may best be understood by referring to the followingdescription and accompanying drawings that are used to illustrateembodiments of the invention. In the drawings:

FIG. 1 illustrates an exemplary system for network layer performance andsecurity provided by a distributed cloud computing network according toan embodiment.

FIG. 2 illustrates an example architecture of a data center according toan embodiment.

FIG. 3 is a flow diagram that illustrates exemplary operations forestablishing the network layer performance and security service providedby the distributed cloud computing network according to an embodiment.

FIG. 4 illustrates an exemplary system for network layer performance andsecurity provided by a distributed cloud computing network according toan embodiment.

FIG. 5 is a flow diagram that illustrates exemplary operations for anetwork layer performance and security service provided by a distributedcloud computing network according to an embodiment.

FIG. 6 illustrates an exemplary system for network layer performance andsecurity provided by a distributed cloud computing network according toan embodiment.

FIG. 7 shows an embodiment where a private network interconnect (PNI) isestablished between the origin network and the compute server(s) of thedata center according to an embodiment.

FIG. 8 shows an embodiment where a PNI is established between the originnetwork and the compute server(s) of the data center according to anembodiment.

FIG. 9 is a flow diagram that illustrates exemplary operations for anetwork layer performance and security service provided by a distributedcloud computing network according to an embodiment.

FIG. 10 is a flow diagram that illustrates exemplary operations for anetwork layer performance and security service provided by a distributedcloud computing network according to an embodiment.

FIG. 11 shows a packet flow through a compute server according to anembodiment.

FIG. 12 shows a packet flow through a compute server 128 according to anembodiment.

FIG. 13 illustrates an example of IP packets intelligently routedaccording to an embodiment.

FIG. 14 illustrates a block diagram for an exemplary data processingsystem that may be used in some embodiments.

DESCRIPTION OF EMBODIMENTS

Network layer performance and security provided by a distributed cloudcomputing network is described. The distributed cloud computing networkis available as a service over the internet and does not requirecustomers (e.g., origin owners and/or operators) to install additionalhardware or software to support the service. The distributed cloudcomputing network includes multiple data centers that are geographicallydistributed. There may be hundreds to thousands of data centers, forexample. Each data center includes one or more compute servers. Eachdata center can also include one or more DNS servers (e.g., one or moreauthoritative name servers, one or more proxy DNS servers), and/or oneor more other pieces of network equipment such as router(s), switch(es),and/or hubs. In an embodiment, each edge server within a data center mayprocess network layer traffic (e.g., HTTP/S, SPDY, FTP, TCP, UDP, IPSec,SIP, other IP protocol traffic, or other network layer traffic). Thedescription herein will use IP as an example of the network layer.However, other network layer protocol types may be used in embodimentsdescribed herein.

IP traffic destined to an origin network is received at the distributedcloud computing network instead of being received initially at theorigin network. For instance, in an embodiment, IP address(es) of theorigin network are advertised (e.g., using Border Gateway Protocol(BGP)) by the distributed cloud computing network instead of beingadvertised by the origin network. This causes IP traffic to be receivedat the distributed cloud computing network instead of being received atthe origin network. The IP address(es) of the origin network may beadvertised by each of the data centers as anycast IP address(es) suchthat IP traffic destined to those IP address(es) are at least initiallyreceived at the data center that is closest to the transmitting devicein terms of routing protocol configuration (e.g., BGP configuration)according to an anycast implementation as determined by the networkinfrastructure (e.g., router(s), switch(es), and/or other networkequipment between the transmitting device and the data centers. Inanother embodiment, the data centers advertise a different set ofanycast IP address(es) on behalf of the origin and map those anycast IPaddress(es) to the origin IP address(es). In either embodiment, IPtraffic destined for the origin is routed to one or more of the datacenters. This effectively means that all of the network locations of thedistributed cloud computing network, and the network capacity of thedistributed cloud computing network, are available to the originnetwork.

The distributed cloud computing network can provide one or moreperformance services and/or one or more security services that do notrequire customers to install additional hardware or software to supportthe service. The one or more performance services can include a contentdelivery network, caching, video delivery, website optimizations (e.g.,asynchronous loading, image optimizations, mobile optimizations), loadbalancing, intelligent routing, availability, and/or protocol management(e.g., IPv4/v6 gateway). The one or more security services can includeDDoS protection, secure session (SSL/TLS) support, web applicationfirewall, threat blocking, privacy protection, access control,compliance, and/or rate limiting. The performance services and securityservices described above are examples and the distributed cloudcomputing network may perform different services than described. In anembodiment, each performance service and/or security service can beperformed in each data center. Thus, without installing additionalhardware or software, a customer can deploy in front of theiron-premises network the distributed cloud computing network that canprotect their on-premises network from DDoS attack and/or enablesprovisioning of a full suite of virtual network functions includingadvanced packet filtering, load balancing, and traffic management tools.In an embodiment, the performance services and/or security services thatapply to a particular IP packet and/or IP address may be configured bythe customer. For instance, a customer can configure which service(s) toapply to which IP address(es) and/or type of IP packet received.

IP packets destined for the origin network are received at thedistributed cloud computing network and can be inspected for attacks,filtered, steered, accelerated, and/or sent onward to the originnetwork. Connectivity between the distributed cloud computing networkand the origin network may be supported over tunneling protocols (e.g.,Generic Routing Encapsulation (GRE) tunnels, IPsec tunnels, etc.),private network interconnects (PNI), or other forms of peering. Thedistributed cloud computing network offers full-duplex, bidirectional IPconnectivity to the internet with transit provided by the distributedcloud computing network.

FIG. 1 illustrates an exemplary system for network layer performance andsecurity provided by a distributed cloud computing network according toan embodiment. The system includes the distributed cloud computingnetwork 120. The distributed cloud computing network 120 includesmultiple data centers 125A-N. There may be hundreds to thousands of datacenters, for example. The data centers 125A-N are geographicallydistributed (e.g., throughout the world). The data centers 125A-Ninclude one or more compute server(s) 128A-N respectively. Each datacenter 125 can also include one or more control servers, one or more DNSservers (e.g., one or more authoritative name servers, one or more proxyDNS servers), and/or one or more other pieces of network equipment suchas router(s), switch(es), and/or hubs. In an embodiment, each computeserver 128 within a data center 125 may process IP traffic (e.g.,HTTP/S, SPDY, FTP, TCP, UDP, IPSec, SIP, or other IP protocol traffic).The data centers 125A-N are connected across the public internet.

The system also includes the origin network 130 that includes the originserver 132 and the origin router 134. The origin network 130 is theorigin for IP traffic of a customer of the distributed cloud computingnetwork 120. The origin network 130 may be connected to one or more ofthe compute server(s) 128A-N of the data centers 125A-N. In the exampleof FIG. 1, the origin server 132 has the IP address 203.0.113.1. Thedata centers 125A-N receive IP traffic for the origin server 132. In anembodiment, the data centers 125A-N receive the IP traffic destined forthe origin server IP address (e.g., 203.0.113.1) because the datacenters 125A-N advertise the IP prefix of the customer (as anycast)instead of the origin network advertising the IP prefix. In anotherembodiment, the data centers 125A-N advertise a different anycast IPaddress on behalf of the origin and map that different anycast IPaddress to the origin IP address. In either embodiment, IP trafficdestined for the origin is routed to one or more of the data centers125A-N.

FIG. 2 illustrates an example architecture of a data center 125according to an embodiment. The data center 125A includes the computeservers 128A.1-128A.N that are each connected to the router 210A. Eachof the compute servers 128A.1-128A.N may be separate physical devices ormay be virtual instances running on one or more separate physicaldevices. Each different compute server 128A.1-128A.N may be assigned adifferent IP address. The compute servers 128A.1-128A.N may form an ECMPgroup. In an embodiment, the router 210A externally advertises the IPprefix of the origin network instead of the origin network advertisingthe IP prefix, and the compute servers 128A.1-128A.N advertise the IPprefix of the origin network to the router 210A. The router 210Areceives IP packets destined for the origin network 130. The router 210Adetermines one of the compute servers 128A.1-128A.N to which it willtransmit the received IP packet. In an embodiment, the compute servers128A.1-128A.N form an ECMP group and the router 225A divides the trafficbetween the compute servers 128A.1-128A.N. In another embodiment, alayer 4 load balancing is used to distribute traffic among the computeservers 128A.1-128A.N.

The particular data center 125 that receives a particular IP packet froma client device may be determined by the network infrastructureaccording to an Anycast implementation or by a geographical loadbalancer. For instance, the data centers 125A-N may each advertise thesame anycast IP address. An IP packet with a destination IP address ofthat anycast IP address will be received at the data center that isclosest to the client device in terms of routing protocol configuration(e.g., Border Gateway Protocol (BGP) configuration) according to ananycast implementation as determined by the network infrastructure(e.g., router(s), switch(es), and/or other network equipment) betweenthe requesting client device and the data centers.

The data center 125 that receives the IP packet from the client device110 will process the packet. The packet may be directed to a computeserver 128 of the data center 125 for processing. The processing mayinclude performing one or more of performance services and/or one ormore security services. The one or more performance services can includea content delivery network, caching, video delivery, websiteoptimizations (e.g., asynchronous loading, image optimizations, mobileoptimizations), load balancing, intelligent routing, availability,and/or protocol management (e.g., IPv4/v6 gateway). The one or moresecurity services can include DDoS protection, secure session (SSL/TLS)support, web application firewall, threat blocking, privacy protection,access control, compliance, and/or rate limiting. The performanceservices and security services described above are examples and thedistributed cloud computing network 120 may perform different servicesthan described. In an embodiment, each performance service and/orsecurity service can be performed in each data center 125. In anembodiment, the one or more security services are continually performedwhile in other embodiments the one or more security services areperformed on-demand.

In an embodiment, the content delivery network service may includecaching content at the data centers 125A-N (e.g., the distributed cloudcomputing network 120) to deliver content faster with less latency. Inaddition, when static content is cached in the geographicallydistributed network of data centers, the availability of the staticcontent can be maintained even when the origin server fails or goesdown. In an embodiment, content caching is based on rules that specifyparticular behavior for individuals URLs and/or IP addresses, includingwhat content gets cached and how long the content remains cached.Traffic can be load balanced across multiple origins, using proximityand network latency to determine the most efficient destination for eachcontent request. In an embodiment, content is placed on dedicated IPranges, allowing for prioritized routing and protection.

The content delivery network service may include video deliveryservices. In an embodiment, the video delivery services provide highquality video streaming through a bundled platform that combinesstorage, transcoding, distribution and playback functionalities.

In an embodiment, caching service can include automatic static contentcaching, cache purging, and tiered caching. As noted above, staticcontent caching can conserve CPU resources and bandwidth providingstatic content from the geographically distributed network of datacenters. In an embodiment, cache purging services using cache-tagsstored as metadata with cached objects allows for purging an entirecache or a single file. In an embodiment, using tiered caching, contentserved from adjacent data centers can reduce cache-miss rates, serverload, and end-to-end latency.

Website optimization services can include asynchronous resource loading,image optimizations, and mobile optimizations. Asynchronous resourceloading can allow multiple resources (e.g., images, scripts, etc.) to beloaded simultaneously rather than sequentially. Image optimizations caninclude resizing images from a single-source image master based on atype of user device and a connection speed. Images can be manipulated bydimensions (e.g., screen size), compression ratios, and format (e.g.,WebP conversion where supported). Image optimizations can also includeapplying both “lossless” and “lossy” image optimizations to removeunnecessary bytes from images. Mobile optimizations can includedetecting a browser type of a user device and optimizing performance forthe particular type of user device. This can improve the performance ofimages when a website is accessed via a mobile connection.

The load balancing services may provide local and global load balancingto reduce latency by load balancing traffic across multiple servers orby routing traffic to the closest geolocation region. For example,requests for dynamic content are sourced from origin servers that areeither closest to the user or meet specific weighted requirements.

The load balancing services may also provide health checks of serverswith fast failover to rapidly route users away from failing servers. Forexample, through periodic HTTP/HTTPS requests, monitoring can beconfigured for specific URLs with customizable intervals, timeouts, andstatus codes. Availability monitoring can check the health of originservers (e.g., as often as every 15 seconds), with reporting via emailnotifications and a REST API. Thus, when an origin server is marked asunhealthy, multi-region failover can route or reroute traffic to thenext available healthy server.

Network congestion and unreliable connections can result in slow loadtimes of websites. To address this issues, intelligent routing servicescan use real-time network intelligence to route traffic through thefastest network paths, while maintaining open, secure connections toeliminate latency imposed by connection-setup. For example, based onnetwork conditions, requests can be routed to avoid congested networkpaths and/or unreliable connections.

Protocol management services include an IPv4-to-IPv6 translation gatewaythat can allow any website to be available over IPv6 even when a site'sorigin network does not yet support the IPv6 protocol. In an embodiment,services that require IPv4 support can use a Pseudo IPv4 service, wherean HTTP header is added to requests established over IPv6 with a“pseudo” IPv4 address. In such an embodiment, using a hashing algorithm,Pseudo IPv4 will create a Class E IPv4 address which will produce thesame output for the same input; the same IPv6 address will result in thesame Pseudo IPv4 address.

A DDoS detection and mitigation service detects and mitigates againstDDoS attacks. DDoS attack may be identified in several ways that may bedifferent based on the type of attack. Many DDoS attacks involve sendinga large amount of traffic of a certain type to an intended target. TheDDoS detection may determine when there is an abnormal amount of trafficthat is destined to a particular destination (e.g., the traffic spikesfrom what is normally encountered). The DDoS detection may sample andanalyze the traffic looking for inconsistencies and establish athreshold amount of what the normal traffic rate is for a domain and/orIP address and determine when traffic exceeds that threshold. Trafficrates may be individual and separate for a compute server and/or datacenter and a DDoS attack may be identified for ach separate computeserver and/or data center; or a DDoS can be identified through anaggregation of traffic across all compute servers and data centers. Byway of a specific example, a DDoS attack may be detected by using one ormore parameters that exceed a threshold, including one or more of thefollowing to a particular IP address and/or domain: the number ofpackets, the amount of bandwidth, the number of User Datagram Protocol(UDP) packets/second, the number of Transmission Control Protocol (TCP)packets/second, the number of connections opened, the number of failedconnections, and the ratio of successfully opened connections versusfailed connections. These are just examples as there may be otherparameters used in combination with, or in lieu of, the above to detecta DDoS attack. For example, the distributed cloud computing network 120may detect if a domain and/or IP address is unreachable due to a heavyload, which may be an indication of a DDoS attack. As another example,the detection of a spike in metrics pertaining to a page or a resourcerequest may be an indication of a DoS attack (e.g., a particular requestheader, cookie, size of the request, non-standard control characters, alarge number of GET parameters, a large number of POST parameters,etc.). The DDoS mitigation may create rules to filter packets that meetcertain criteria and install them in a firewall for dropping thepackets.

Secure session support services (e.g., Secure Socket Layer (SSL) andTransport Layer Security (TLS) support) may be provided that allow forSSL to operate in different modes depending on the level of securityrequired and the amount of user configuration. For example, a flexiblesecure session service encrypts traffic from the distributed cloudcomputing network 120 to a client device, but not from the distributedcloud computing network 120 to an origin server, while a full securesession service encrypts the traffic from the distributed cloudcomputing network 120 to the origin server and the client device.

Web application firewall services can run in real-time to preventautomated attacks, SQL injection, XSS javascript injections and otherreal-time POST actions (e.g., cross-site scripting, cross-site forgeryrequests, etc.). The web application firewall services can contain rulesto thwart attacks commonly seen in popular applications, including:WordPress, Magento, Drupal, PHP, Joomla, etc. In an embodiment, webapplication firewall services allows an administrator to import theirown rules and write custom rules, as well as utilize system-generatedrules that are automatically updated when new security vulnerabilitiesare identified or detected.

Threat blocking and privacy protection security services can includereputation-based threat protection that block known malicious threats,comment spam protection that block spammers from posting on a website,and content scraping protection that protect content (e.g., text,images, email addresses) from web scrapers. Threat blocking securityservices can also block or present challenges to users by country, IPaddress, or autonomous system number. Threat blocking security servicescan also provide user agent blocking to allow a user to create a rule toblock or challenge a specific User Agent from accessing a domain, or azone lockdown to allow the whitelisting of specific IP addresses and IPranges.

Access control security services can include multi-user access,role-based access, and single sign-on support. Multi-user access allowsan administrator to invite other users to manage the account as anadministrator. In an embodiment, invited administrators can have fullcontrol over the account except for managing members and changingbilling information. Role-based access enables organizations tocollaborate across one account, and use roles-based permissions tocontrol access. In an embodiment, each user is assigned an individualAPI key and can use two-factor authentication to protect their ownaccount. Single sign-on support allows for centralized identity andaccess management by allowing owners to setup and define who can accesstheir accounts with their chosen identity provider.

Access control security services can also enable a user or administratorto monitor user access and change logs. For example, the system can logrecent logins, access requests, and policy changes, and provideinformation indicating affected users, associated IPs, domains, actionstaken, and timestamps.

Payment Card Industry Data Security Standards (PCI DSS) is a set ofsecurity standards designed to ensure that businesses that accept,process, store, or transmit credit card information maintain a secureenvironment. In an embodiment, by enabling web application firewall andModern TLS Only mode ensures that a business remains in compliance withthe latest PCI DSS standards.

DDoS attacks can be difficult to mitigate when they originate from alarge number of unique IP addresses and mimic legitimate traffic. Ratelimiting services can protect against such DDoS attacks, as well asprotect sensitive information against brute-force login attempts andother types of abusive behavior. In an embodiment, rate limitingprovides the ability to configure thresholds, define responses, andobtain information about specific URLs of websites, applications, or APIendpoints. Examples of thresholds can include allowing a certain numberof requests per minute from each unique IP address, a certain number oflogin attempts, etc. Example response configurations can include enablemitigating actions (e.g., challenges or CAPTCHAS), response codes, etc.Implementation of rate limiting service can reduce bandwidth usage byeliminating unpredictable traffic spikes or attacks.

In an embodiment, the processing functions and/or services that areperformed by the compute server may be different depending on the packetand/or configuration for the destination origin. For instance, the datacenters 125A-N may advertise an IP prefix (or group of IP addresses)instead of the origin network where some of the IP addresses may be fordifferent services such as load balancing, HTTP servers, mail servers,or other custom-based applications. Thus, different IP addresses of anorigin network may have different security and/or traffic managementrequirements. In an embodiment, the distributed cloud computing network120 receives configuration (e.g., from the origin owner or operator)that specifies one or more IP addresses and the services and/orfunctions to apply to those IP address(es), and applies thatconfiguration when determining what processing functions and/or servicesto apply. For example, the customer may define certain configurationsfor routing, firewalls, and/or other services. As an example, an originowner or operator may provide a configuration for the following: packetsdestined for a set of IP address(es) that contain HTTP services thatwere traditionally fronted by a traditional hardware load balancerinstead be processed by a load balancing service provided by thedistributed cloud computing network 120; HTTP traffic destined to theset of IP address(es) be processed with a web application firewallservice provided by the distributed cloud computing network 120; andcontent be cached by the distributed cloud computing network 120.

As another example, the compute server may identify an IP packet thatwould benefit from bidirectional flow processing (e.g., Layer 4 and/orLayer 7 processing that may require state of the packet to be stored)and cause the packet to be processed accordingly. For instance, thecompute server may identify the IP packet as a TCP packet, terminate theconnection and re-establish the TCP connection with the origin network130. In this case, the IP address of the compute server may be thesource IP address of the packet instead of the client device. This willbe described in greater detail with respect to FIG. 4.

In an embodiment, the distributed cloud computing network 120 includesone or more control servers that are operated by the service. Thecontrol server(s) provide a set of tools and interfaces for thecustomers and is accessible over the Internet. For example, the controlserver(s), among other things, allow the customer to configure theperformance services and/or security services including specifying oneor more IP addresses and the services and/or functions to apply to thoseIP address(es). The control server(s) can also configure other settingsfor the performance services and/or security services (e.g.,create/apply firewall rules, caching functions, image optimizationsettings, load balancing settings, mobile device settings, threatprotection, DDoS management/trigger, rate limiting rules, etc.). Thesettings can be selectively applied to one or more of their IPaddresses, pages, and/or resources.

In an embodiment, the processing functions and/or services that areperformed by the compute server for a particular IP packet may bedifferent depending on a set of one or more parameters associated withthat IP packet such as: the class of service of the packet, and thethreat data associated with the source IP address and/or destination IPaddress of the packet. The parameter(s) may be used to make a decisionon the packet such as dropping the packet.

Connectivity between the distributed cloud computing network 120 and theorigin network 130 may be supported over tunneling protocols (e.g., GREtunnels, IPsec tunnels, etc.), private network interconnects (PNI), orother forms of peering. In an embodiment where the data centers 125A-Nadvertise the IP address of the origin (instead of the originadvertising that IP address), the IP packet cannot simply be transmittedto that destination IP address because it will then be received again bythe distributed cloud computing network 120. Instead, in an embodiment,the IP packet is transmitted over an overlay network over the publicInternet to the origin network. For instance, the IP packet may betransmitted over the public internet over a GRE tunnel, IPsec tunnel, orother tunnel. The description below refers to GRE tunnels, however otherforms of encapsulation can be used (e.g., IPsec tunnels, VPN tunnels, IPin IP, SIT/IPv6, OpenVPN, Secure Socket Tunneling Protocol (SSTP), Layer2 Tunneling protocol (L2TP), Virtual Extensible Local Ara Network(VXLAN), etc.).

In an example, a single GRE tunnel with the same endpoints is configuredbetween each of the compute server(s) 128A-N of the data centers 125A-Nand the origin network 130 (e.g., the origin router 134 of the originnetwork 130). The GRE endpoints at the compute server(s) 128A-N may usethe same anycast IP address to terminate the GRE tunnel. A router ineach of the data centers 125A-N may advertise the same anycast IPaddress and the compute server(s) 128A-N are configured to accepttraffic directed to that same anycast IP address and advertise that sameanycast IP address to the router. The GRE endpoint at the origin network130 is generally a publicly routable IP address for the origin network130. Since the GRE endpoints at the compute server(s) 128A-N of the datacenters 125A-N use the same anycast IP address to terminate the GREtunnel, each of the compute server(s) 128A-N of the data centers 125A-Nare able to receive traffic over the GRE tunnel from the origin network130. A single GRE tunnel configuration on the side of the origin network130 effectively establishes a GRE tunnel with each of the computeserver(s) 128A-N, which eliminates the requirement to configure multipleGRE tunnels with different data centers 125A-N. Thus, a single GREtunnel is effectively shared between each of the compute server(s)128A-N and the origin network 130. Any of the compute server(s) 128A-Ncan be removed from production or fail, and a different one of thecompute server(s) 128A-N is still able to receive the GRE traffic fromthe origin network 130. Also, any of the data centers 125A-N can beremoved from production or fail, and the next closest data center to theorigin network 130 will start receiving the GRE traffic from the originnetwork 130. Thus, no single compute server or single data center 125A-Nis a single point of failure. Although an embodiment has been describedwhere GRE tunnels are configured between the compute server(s) 128A-Nand the origin network 130 (e.g., the origin router 134), in analternative embodiment GRE tunnels are configured between a router ofeach data center 125A-N and the origin network 130 (e.g., the originrouter 134). However, performing the GRE encapsulation/decapsulation onthe compute server(s) 128A-N instead of routers of the data centers125A-N reduces the compute overhead on the routers and may providebetter scaling.

In an embodiment, multiple GRE tunnels may be configured between thedata centers 125A-N and the origin network 130. For instance, althoughFIG. 1 shows one origin router 134, the origin network 130 may includemultiple origin routers for redundancy and/or load balancing. As anotherexample, the origin network 130 may have multiple locations where a setof tunnel(s) are established between the data centers 125A-N and originrouter(s) of the first location and a set of tunnel(s) are establishedbetween the data centers 125A-N and origin router(s) of a secondlocation, and so on. In an embodiment, a BGP peering session isestablished with the origin network 130 and BGP announcements are usedthat specify which GRE tunnel(s) traffic is to be sent. In anotherembodiment, an API is exposed for the customer to specify which GREtunnel(s) traffic is to be sent.

In the example of FIG. 1, a GRE tunnel is operatively configured betweeneach of the compute server(s) 128A-N and the origin router 134. Each ofthe compute server(s) 128A-N are configured with a local GRE endpointhaving the same anycast IP address and a remote GRE endpoint having apublicly routable IP address of the origin router 134. The origin router134, in turn, is configured with a local GRE endpoint of its publiclyroutable IP address and a remote GRE endpoint of the anycast IP addressof the compute server(s) 128A-N. With respect to FIG. 1, the computeserver(s) 128A-N each have a local GRE endpoint having an anycast IPaddress of 103.31.4.10 and a remote GRE endpoint having an IP address of192.0.2.10. The origin router 134 is configured with a local GREendpoint having the IP address 192.0.2.10 and a remote GRE endpoint withthe anycast IP address 103.31.4.10.

Return packets (those sent from the origin network 130 and ultimatelydestined for the client device 110) may be sent back through the GREendpoints (e.g., in embodiments where direct server return is not used).If sent back through the GRE endpoints, the origin router 134encapsulates the return IP packet with a destination IP address of theGRE endpoint of the compute server(s) 128A-N. Since the GRE endpoint forthe compute server(s) 128A-N is an anycast IP address, the particulardata center 125 of the data centers 125A-N that receives theencapsulated IP packet is the one closest to the origin router 134according to an anycast implementation as determined by the networkinfrastructure between the origin router 134 and the data centers125A-N.

Since an anycast IP address of the GRE endpoint may be used (as well asan anycast IP address of the origin), the particular data center 125from which an encapsulated IP packet was transmitted to the originnetwork 130 may not necessarily be the same data center 125 thatreceives the return encapsulated IP packet from the origin network 130.For instance, consider a situation where a data center 125 exists inCalifornia, a data center 125 exists in England, the origin network 130is in Paris, and the client device 110 is located in Oregon. An IPpacket sent by the client device 110 will likely be received andprocessed by a compute server 128 of the data center 125 in Californiasince it is closer to Oregon than the data center 125 in England. Acompute server 128 of the data center 125 in California processes the IPpacket and if determines to send to the origin network 130, encapsulatesthe IP packet and transmits the encapsulated IP packet to the originrouter 134 in Paris. The origin router 134 decapsulates the IP packetand transmits it to the origin server 132 for processing. Assuming thatthe origin server 132 transmits a return IP packet that is received bythe origin router 134, the origin router 134 encapsulates a return IPpacket that has the destination IP address of the anycast IP address ofthe GRE endpoint of the compute server(s) 128A-N. Since it is an anycastIP address and it was sent by the origin router 134 in Paris, thatreturn packet will likely be received by the data center 125 in Englandversus the data center 125 in California. Thus, in this example, the IPpacket was sent from a different data center 125 than the data center125 that received the return IP packet. The data center 125 thatreceives the return IP packet processes the packet and transmits it backtowards the client device (in some cases the return IP packet may passthrough multiple data centers 125 to transmit to the client device 110).

In an embodiment, the distributed cloud computing network 120 includesone or more control servers that are operated by the service. Thecontrol server(s) provide a set of tools and interfaces for thecustomers and is accessible over the Internet. For example, the controlserver(s), among other things, allow the customer to configure theperformance services and/or security services including specifying oneor more IP addresses and the services and/or functions to apply to thoseIP address(es). The control server(s) can also configure other settingsfor the performance services and/or security services (e.g.,create/apply firewall rules, caching functions, image optimizationsettings, load balancing settings, mobile device settings, threatprotection, DDoS management/trigger, rate limiting rules, etc.). Thesettings can be selectively applied to one or more of their IPaddresses, pages, and/or resources.

FIG. 3 is a flow diagram that illustrates exemplary operations forestablishing the network layer performance and security service providedby the distributed cloud computing network 120 according to anembodiment. At operation 310, a control server that is operated by theservice receives configuration information from a customer forestablishing the network layer performance and security service for anorigin network. The configuration information may indicate which IPaddress(es) the distributed cloud computing network 120 shouldadvertise, network information of the origin network (e.g., IP addressesof the origin router(s) used for GRE tunnels), information specifyingwhich GRE tunnel(s) traffic is to be sent, configuring the performanceservices and/or security services including specifying one or more IPaddresses and the services and/or functions to apply to those IPaddress(es), and/or configuration for other settings for the performanceservices and/or security services (e.g., create/apply firewall rules,caching functions, image optimization settings, load balancing settings,mobile device settings, threat protection, DDoS management/trigger, ratelimiting rules, etc.). The configuration information may be communicatedfrom the control server to the data centers 125A-N.

Next, at operation 315, a GRE tunnel is configured between each of thecompute server(s) 128A-N of the data centers 125A-N and the originrouter 134 of the origin network 130. The configured GRE tunnels havethe same endpoint at the compute sever(s) 128A-N that use the sameanycast IP address to terminate the GRE tunnel. The configured GREtunnels also have the same endpoint at the origin router 134 (e.g.,using the IP address of the GRE tunnel for the origin router 134). Arouter in each of the data centers 125A-N may advertise the same anycastIP address and the compute server(s) 128A-N are configured to accepttraffic directed to that same anycast IP address and advertise that sameanycast IP address to the router.

Next, at operation 320, IP address(es) of the origin network 130 areadvertised at each of the data centers 125A-N instead of beingadvertised by the origin network 130 to cause IP packets directed atthose IP address(es) to be initially received at the data centers 125A-Ninstead of the origin network 130.

With reference to FIG. 1, the client device 110 (having an IP address of198.51.100.1) transmits the IP packet 140 at operation 1. The clientdevice 110 is a computing device (e.g., desktop, laptop, tablet, mobilephone, smartphone, gaming system, set-top box, Internet of Things (IoT)device, wearable device, etc.) that is capable of accessing networkresources through a client network application (e.g., a browser, amobile application, or other network application). The IP packet 140 isdestined to the origin server 132 (e.g., it includes a destination IPaddress of 203.0.113.1). The IP packet 140 may be any type of IP packet(e.g., HTTP/S, SPDY, FTP, TCP, UDP, IPsec, SIP, or other IP protocol).The IP packet 140 is received at the data center 125A of the distributedcloud computing network 120. The data center 125A receives the IP packet140 because it is the closest data center 125 of the data centers 125A-Nto the client device 110 according to an Anycast implementation.

The data center 125A processes the IP packet 140. In an embodiment wherethe data center 125A includes multiple compute servers, the IP packet140 is sent to one of those compute servers for processing. The multiplecompute servers may form an equal-cost multi-path (ECMP) group and arouter of the data center 125A may determine which compute server willprocess the IP packet 140. The processing may include performing one ormore performance and/or one or more security services as previouslydescribed. In an embodiment, if it is determined that the IP packet 140is to be transmitted to the origin network 130, the compute server 128Aof the data center 125A encapsulates the IP packet 140 inside an outerGRE packet as shown in the encapsulated packet 142, and transmits theencapsulated packet 142 to the origin router 134 at operation 2. Theouter source and destination IP addresses of the outer GRE packetcorrespond to the GRE tunnel endpoints. Thus, the IP address of the GREendpoint of the compute server 128A (103.31.4.10) is the source IPaddress of the outer GRE packet, and the IP address of the GRE endpointof the origin router 134 (192.0.2.10) is the destination IP address ofthe outer GRE packet. The inner IP packet may be the same as shown inpacket 142. As an example, the payload of the packet 140 and the payloadof the inner IP packet of the encapsulated packet 142 may be differentbecause the processing stage may modify the payload. The packet 142 maytraverse multiple other network equipment (e.g., internet nodes) alongthe route to the origin router 134.

The origin router 134 decapsulates the packet 142 (removes the outer GREpacket) and transmits the IP packet 144 to the origin server 132 atoperation 3. The origin server 132 will process the packet 144 and maytransmit a return packet 146. If so, the return packet 146 is receivedby the origin router 134 at operation 4. The return packet 146 has asource IP address of the origin server 132 (203.0.113.10) and adestination IP address of the client device 110 (198.51.100.1).

In an embodiment, the origin router 134 is configured to transmitoutgoing IP packets over the overlay network over the public internet tothe distributed cloud computing network 120. For instance, the originrouter 134 is configured to transmit outgoing IP packets over the publicinternet over a GRE tunnel to the distributed cloud computing network120. As illustrated in FIG. 1, the origin router 134 encapsulates the IPpacket 146 inside an outer GRE packet as shown in the encapsulatedpacket 148. The outer source and destination IP addresses of the outerGRE packet correspond to the GRE tunnel endpoints. Thus, the IP addressof the GRE endpoint of the origin router 134 (192.0.2.10) is the sourceIP address of the outer GRE packet, and the anycast IP address103.31.4.10 is the destination IP address of the outer GRE packet. Theorigin router 134 transmits the encapsulated packet 148 at operation 5.Since the destination IP address of the outer GRE packet is an anycastIP address (announced by each of the data centers 125A-N), the datacenter 125 that is closest to the origin router 134 (according to theanycast implementation) will receive the encapsulated packet 148. In theexample of FIG. 1, the data center 125N receives the encapsulated packet148 because it is the closest data center 125 of the distributed cloudcomputing network 120 to the origin router 134. Although FIG. 1 shows adifferent data center 125 receiving the return encapsulated packet, thesame data center 125 may transmit the encapsulated IP packet and receivea return encapsulated IP packet if it is also the closest data center tothe origin router 134.

The data center 125N receives the encapsulated packet 148 anddecapsulates the packet (removing the outer GRE packet). For instance,the router of the data center 125N receives the encapsulated packet 148and sends it to one of the compute server(s) 128N for processing. Ifthere are multiple compute servers in the data center 125N, one of thecompute servers is selected (e.g., based on a load balancing algorithmor based on ECMP selection). The compute server 128N decapsulates theencapsulated packet 148 and processes the decapsulated packet.Processing the packet may include performing one more performanceservices and/or one or more security services on the packet. Assumingthat the compute server 128N determines to transmit the packet to theclient device 110, the compute server 128N transmits the decapsulated IPpacket 150 to the client device 110. The IP packet 146 is the same asthe IP packet 150 unless the compute server 128N modified the packetduring processing.

Although FIG. 1 shows an embodiment where the origin router 134transmits outgoing IP packets over an overlay network over the publicinternet to the distributed cloud computing network 120, in anotherembodiment the origin router 134 performs direct server return andinstead transmits return packets directly to the client device 110. Insuch an embodiment, the origin router 134 would transmit the packet 146over the public internet to the client device 110.

FIG. 1 shows an embodiment where it is possible that different datacenters 125A may process the incoming packet from a client device andtransmit the outgoing packet to the client device. FIG. 4 shows anembodiment where the same data center 125A (and potentially same computeserver within the data center 125A) processes the incoming packet andoutgoing packet. This may allow applications to provide upper layerprocessing (e.g., Layer 4 and/or Layer 7 processing) where bidirectionalflow (incoming and outgoing) may be needed. For instance, additionalfeatures can be provided such as inspection of the contents ofconnections, rewriting content, adding transport layer security (TLS),etc.

FIG. 4 illustrates an exemplary system for network layer performance andsecurity provided by a distributed cloud computing network according toan embodiment. FIG. 4 is like FIG. 1 where the data centers 125A-Nreceive IP traffic for the origin server 132, and a GRE tunnel isconfigured between each of the compute server(s) 128A-N of the datacenters 125A-N and the origin network 130 (e.g., the origin router 134of the origin network 130). The GRE endpoints at the compute server(s)128A-N use the same anycast IP address to terminate the GRE tunnel. Eachof the compute server(s) 128A-N are configured with a local GRE endpointhaving the same anycast IP address and a remote GRE endpoint having apublicly routable IP address of the origin router 134. The origin router134, in turn, is configured with a local GRE endpoint of its publiclyroutable IP address and a remote GRE endpoint of the anycast IP addressof the compute server(s) 128A-N. With respect to FIG. 4, the computeserver(s) 128A-N each have a local GRE endpoint having an anycast IPaddress of 103.31.4.10 and a remote GRE endpoint having an IP address of192.0.2.10. The origin router 134 is configured with a local GREendpoint having the IP address 192.0.2.10 and a remote GRE endpoint withthe anycast IP address 103.31.4.10.

At operation 1, the client device 110 (having an IP address of198.51.100.1) transmits the IP packet 440. The IP packet 440 is destinedto the origin server 132 (e.g., it has a destination IP address of203.0.113.1). The IP packet 440 may be any type of IP packet (e.g.,HTTP/S, SPDY, FTP, TCP, UDP, IPsec, SIP, or other IP protocol). The IPpacket 440 is received at the data center 125A of the distributed cloudcomputing network 120. Like FIG. 1, the data center 125A receives the IPpacket 440 because it is the closest data center 125 of the data centers125A-N to the client device 110 according to an Anycast implementation.

The data center 125A processes the IP packet 440. In an embodiment wherethe data center 125A includes multiple compute servers, the IP packet440 is sent to one of those compute servers for processing likedescribed in FIG. 1. The multiple compute servers may form an equal-costmulti-path (ECMP) group and a router of the data center 125A maydetermine which compute server will process the IP packet 440. Theprocessing may include performing one or more performance and/or one ormore security services as previously described.

In the example of FIG. 4, the compute server 128A may have determinedthat the IP packet 440 would benefit from bidirectional flow. Thecompute server 128A may terminate the TCP/UDP connection with the clientdevice 110 and establish a TCP/UDP connection with the origin network130. In an embodiment, the compute server 128A does not preserve thesource IP address of the original IP packet 440 and instead uses an IPaddress of a compute server of the data center 125A (in this case, anaddress of 103.31.4.100), encapsulates that IP packet inside an outerGRE packet as shown in the encapsulated packet 442, and transmits theencapsulated packet 442 to the origin router 134 at operation 2. Theouter source and destination IP addresses of the outer GRE packetcorrespond to the GRE tunnel endpoints. Thus, the IP address of the GREendpoint of the compute server 128A (103.31.4.10) is the source IPaddress of the outer GRE packet, and the IP address of the GRE endpointof the origin router 134 (192.0.2.10) is the destination IP address ofthe outer GRE packet. The inner IP packet appears to be sourced from thecompute server 128A.

The origin router 134 decapsulates the packet 442 (removes the outer GREpacket) and transmits the IP packet 444 to the origin server 132 atoperation 3. The origin server 132 will process the packet 444 and maytransmit a return packet 446. If so, the return packet 446 is receivedby the origin router 134 at operation 4. The return packet 446 has asource IP address of the origin server 132 (203.0.113.10) and adestination IP address of the compute server 128A of the data center125A.

In an embodiment, the origin router 134 is configured to transmitoutgoing IP packets over the overlay network over the public internet tothe distributed cloud computing network 120. For instance, the originrouter 134 is configured to transmit outgoing IP packets over the publicInternet over a GRE tunnel to the distributed cloud computing network120. As illustrated in FIG. 4, the origin router 134 encapsulates the IPpacket 446 inside an outer GRE packet as shown in the encapsulatedpacket 448. The outer source and destination IP addresses of the outerGRE packet correspond to the GRE tunnel endpoints. Thus, the IP addressof the GRE endpoint of the origin router 134 (192.0.2.10) is the sourceIP address of the outer GRE packet, and the anycast IP address103.31.4.10 is the destination IP address of the outer GRE packet. Theorigin router 134 transmits the encapsulated packet 448 at operation 5.Since the destination IP address of the outer GRE packet is an anycastIP address (announced by each of the data centers 125A-N), the datacenter 125 that is closest to the origin router 134 (according to theanycast implementation) will receive the encapsulated packet 448. In theexample of FIG. 4, the data center 125N receives the encapsulated packet448 because it is the closest data center 125 of the distributed cloudcomputing network 120 to the origin router 134.

The data center 125N receives the encapsulated packet 448 anddecapsulates the packet (removing the outer GRE packet). For instance,the router of the data center 125N receives the encapsulated packet 448and sends it to one of the compute server(s) 128N for processing. Ifthere are multiple compute servers in the data center 125N, one of thecompute servers is selected (e.g., based on a load balancing algorithmor based on ECMP selection). The compute server 128N decapsulates theencapsulated packet 448 and processes the decapsulated packet. Thecompute server 128N transmits the inner IP packet 450 to its destinationat operation 6, which in this case is the compute server 128A in thedata center 125A. In an embodiment, the compute server 128N encapsulatesthe inner IP packet into an encapsulated packet and tunnels the packetto the compute server 128A.

The compute server 128A of the data center 125A receives and processesthe packet 450 (including decapsulating if necessary). Since the computeserver sees the bidirectional flow of packets, the compute server canperform additional layer 4 and/or layer 7 processing that it otherwisecould not do, such as layer 7 filtering including packet inspection tolook at the content of the packets for inconsistencies, invalid ormalicious commands, and/or executable programs; rewriting content; andadding TLS. Assuming that the compute server 128A within the data center125A determines to transmit the packet to the client device 110, thecompute server 128A of the data center 125A transmits the IP packet 452(which has been modified to include the source IP address of the originserver 132) to the client device 110 at operation 7.

Although FIG. 4 shows an embodiment where the origin router 134transmits outgoing IP packets over an overlay network over the publicinternet to the distributed cloud computing network 120, in anotherembodiment the origin router 134 performs direct server return. In thecase of FIG. 4, since the source IP address of the packet 444 is an IPaddress of the compute server 128A, the origin router 134 transmits thepacket directly to the compute server 128A (e.g., over the publicinternet). The compute server 128A may then perform processing on thepacket as previously described and transmit the packet to the clientdevice 110.

FIG. 5 is a flow diagram that illustrates exemplary operations for anetwork layer performance and security service provided by a distributedcloud computing network according to an embodiment. The operations ofFIG. 5 are described with reference to the exemplary embodiment of FIGS.1 and 4. However, the operations of FIG. 5 can be performed byembodiments other than those discussed with reference to FIGS. 1 and 4,and the embodiments discussed with reference to FIGS. 1 and 4 canperform operations different than those discussed with reference to FIG.5.

At operation 505, an IP packet is received from a client device at afirst data center 125A of the data centers 125A-N. The IP packet isdestined to an IP address that belongs to an origin server. Each of thedata centers 125A-N advertise the IP address (or IP address prefix thatincludes the IP address) as an anycast IP address instead of that IPaddress being advertised by the origin server. This causes IP packetsdestined to that IP address to be instead received at one of the datacenters 125A-N. The first data center 125A receives the IP packet as aresult of an anycast determination that the first data center 125A isclosest to the client device out of the data centers 125A-N.

Next, at operation 510, the received IP packet is processed by a computeserver 128A of the first data center 125A. In an embodiment, processingthe received IP packet includes performing one or more performanceservices and/or one or more security services as previously described.In an embodiment, the compute server 128A dynamically determines whichone or more performance services and/or one or more security services toperform based on information of, or associated with, the IP packet. Forinstance, a customer may configure which service(s) to apply to which IPaddress(es) and/or type of IP packet received. The compute server 128Aaccesses this configuration to determine if and what service(s) to applyto the received packet. Processing the received IP packet may determinethat bidirectional flow processing is desired (e.g., the same computeserver processing the ingress and egress). The compute server 128A mayterminate the TCP/UDP connection with the client device and establish aTCP/UDP connection with the origin network 130. The processing of thepacket may be done in multiple stages, as is further described in FIG.11 for instance.

If it is determined to transmit the IP packet to the origin network,then operation 515 is performed. At operation 515, the compute server128A generates an encapsulated IP packet that uses IP as the transportprotocol. In a specific example, the encapsulated IP packet is a GREencapsulated IP packet. The inner packet of the encapsulated IP packetis the result of the processed IP packet. The inner packet may have thesame source IP address as the packet received from the client device ifit is determined that bidirectional flow processing is not needed (e.g.,any of the compute servers from any of the data centers may process thereturn packet), such as shown in packet 142 of FIG. 1. If it isdetermined that bidirectional flow processing is desired, the innerpacket of the encapsulated IP packet may have a source IP address of thecompute server 128A instead of the client device, such as shown inpacket 442 of FIG. 4. The outer packet of the encapsulated IP packet hasa source IP address that is an anycast IP address advertised by each ofthe compute server(s) 128A-N at each of the data centers 125A-N and canbe used as a tunneling endpoint on each of the compute server(s) 128A-N.The outer packet of the encapsulated IP packet as a destination IPaddress of an IP address of the origin router 134 (e.g., a publiclyroutable IP address of the origin router 134).

Next, at operation 520, the compute server 128A transmits theencapsulated IP packet to the IP address of the origin router 134. Atoperation 525, the origin router 134 of the origin network 130 receivesand decapsulates the encapsulated IP packet. The origin router 134transmits the inner packet to the origin server 132 for furtherprocessing. The origin server 132 processes the inner packet and mayrespond with a reply packet. The reply packet is received at the originrouter 134. At operation 530, the IP packet is processed includinggenerating an encapsulated IP packet that uses IP as the transportprotocol (e.g., a GRE encapsulated IP packet). The inner packet of theencapsulated IP packet is the reply packet from the origin server 132.The inner packet has a source IP address of the origin server 132. Theinner packet has a destination IP address that corresponds with sourceIP address of the inner packet of the encapsulated IP packet sent fromthe compute server 128A to the origin router 134 (e.g., the destinationIP address may be of the client device or the compute server 128A). Theouter packet of the encapsulated reply IP packet has a source IP addressof the origin router 134 (the tunnel endpoint address of the originrouter 134) and has a destination IP address of the anycast IP address(the tunnel endpoint address of the compute server(s) 128A-N. Next, atoperation 532, the encapsulated IP packet is transmitted to the anycastIP address of the compute server(s) 128A-N.

As previously described, since the tunnel endpoint for the computeserver(s) 128A-N is an anycast IP address, the particular data center125 of the data centers 125A-N that receives the encapsulated return IPpacket at the tunnel endpoint is the one closest to the origin router134 according to an anycast implementation as determined by the networkinfrastructure between the origin router 134 and the data centers125A-N. The operations in FIG. 5 describe this situation. Thus, atoperation 535, the encapsulated return IP packet is received at a seconddata center 125N out of the data centers 125A-N. This return IP packetis received at the data center 125N as a result of an anycastimplementation determination that the data center 125N is closest to theorigin network 130 out of the data centers 125A-N. A compute server 128Nof the data center 125N decapsulates the encapsulated IP packetrevealing the inner IP packet (the reply packet from the origin server132).

Next, at operation 540, the compute server 128N processes the replypacket including transmitting the reply packet to its destination IPaddress. The destination IP address may be the client device. If so, thecompute server 128N may perform processing including performing one ormore performance services and/or one or more security services beforetransmitting the reply packet to the client device. If the destinationIP address is a different compute server (e.g., the compute server128A), the compute server 128N transmits the reply packet to thatdifferent compute server for further processing. The compute server 128Nmay encapsulate the reply packet in an encapsulated IP packet beforetransmitting to the other compute server. The other compute server willreceive the packet, decapsulate if necessary, and process the replypacket including performing one or more performance services and/or oneor more security services before transmitting the reply packet to theclient device.

FIG. 4 showed an embodiment where the compute server 128A determinedthat the IP packet would benefit from bidirectional flow andsubsequently changed the source IP address of the inner packet to an IPaddress of the compute server 128A so return packets are directed tothat compute server 128A. In another embodiment, bidirectional flow canbe achieved without changing the source IP address of the inner packet.For instance, a visitor probability map that provides the likelihood ofa particular IP address and/or IP address range being received at aparticular data center 125 may be used to determine where the replypacket should be delivered. If the probability that the packet wasreceived at a particular data center 125 exceeds a threshold, the replypacket may be directed to that data center 125. The probability map maybe generated based on IP geolocation databases and/or historicalanalysis of IP addresses and data centers 125 that encountered those IPaddresses. For instance, consider a data center 125 in California and adata center 125 in England (anycasted to the same IP address). It isunlikely that traffic from a client device in California would bereceived at the data center in England, and vice versa. The visitorprobability map allows the system to determine, with a degree ofaccuracy, that a reply packet having a particular destination IP addresslikely belongs to a flow that was initially processed at a particulardata center. In some cases, if no probability exceeds the threshold, thecompute server that receives the return packet processes the returnpacket.

FIG. 6 illustrates an exemplary system for network layer performance andsecurity provided by a distributed cloud computing network according toan embodiment. FIG. 6 is like FIG. 4 where the data centers 125A-Nreceive IP traffic for the origin server 132, and a GRE tunnel isconfigured between each of the compute server(s) 128A-N of the datacenters 125A-N and the origin network 130 (e.g., the origin router 134of the origin network 130). The GRE endpoints at the compute server(s)128A-N use the same anycast IP address to terminate the GRE tunnel. Eachof the compute server(s) 128A-N are configured with a local GRE endpointhaving the same anycast IP address and a remote GRE endpoint having apublicly routable IP address of the origin router 134. The origin router134, in turn, is configured with a local GRE endpoint of its publiclyroutable IP address and a remote GRE endpoint of the anycast IP addressof the compute server(s) 128A-N. With respect to FIG. 6, the computeserver(s) 128A-N each have a local GRE endpoint having an anycast IPaddress of 103.31.4.10 and a remote GRE endpoint having an IP address of192.0.2.10. The origin router 134 is configured with a local GREendpoint having the IP address 192.0.2.10 and a remote GRE endpoint withthe anycast IP address 103.31.4.10.

At operation 1, the client device 110 (having an IP address of198.51.100.1) transmits the IP packet 640. The IP packet 640 is destinedto the origin server 132 (e.g., it has a destination IP address of203.0.113.1). The IP packet 640 may be any type of IP packet (e.g.,HTTP/S, SPDY, FTP, TCP, UDP, IPsec, SIP, or other IP protocol). The IPpacket 640 is received at the data center 125A of the distributed cloudcomputing network 120. Like FIG. 4, the data center 125A receives the IPpacket 640 because it is the closest data center 125 of the data centers125A-N to the client device 110 according to an Anycast implementation.

The data center 125A processes the IP packet 640. In an embodiment wherethe data center 125A includes multiple compute servers, the IP packet640 is sent to one of those compute servers for processing likedescribed in FIG. 1. The multiple compute servers may form an equal-costmulti-path (ECMP) group and a router of the data center 125A maydetermine which compute server will process the IP packet 640. Theprocessing may include performing one or more performance and/or one ormore security services as previously described.

In the example of FIG. 6, the compute server 128A may have determinedthat the IP packet 440 would benefit from bidirectional flow. However,unlike the example shown in FIG. 4 where the source IP address of theoriginal IP packet 440 is not used in the inner IP packet (the innerpacket used an IP address of the compute server 128A as the source IPaddress), the inner packet of the encapsulated packet 642 maintains thesource IP address of the original IP packet 640. That inner packet isencapsulated inside an outer GRE packet as shown in the encapsulatedpacket 642, and the compute server 128A transmits the encapsulatedpacket 442 to the origin router 134 at operation 2. The outer source anddestination IP addresses of the outer GRE packet correspond to the GREtunnel endpoints. Thus, the IP address of the GRE endpoint of thecompute server 128A (103.31.4.10) is the source IP address of the outerGRE packet, and the IP address of the GRE endpoint of the origin router134 (192.0.2.10) is the destination IP address of the outer GRE packet.The inner IP packet continues to appear to be sourced from the clientdevice 110.

The origin router 134 decapsulates the packet 642 (removes the outer GREpacket) and transmits the IP packet 644 to the origin server 132 atoperation 3. The origin server 132 will process the packet 644 and maytransmit a return packet 646. If so, the return packet 646 is receivedby the origin router 134 at operation 4. The return packet 646 has asource IP address of the origin server 132 (203.0.113.10) and adestination IP address of the client device 110.

In an embodiment, the origin router 134 is configured to transmitoutgoing IP packets over the overlay network over the public internet tothe distributed cloud computing network 120. For instance, the originrouter 134 is configured to transmit outgoing IP packets over the publicInternet over a GRE tunnel to the distributed cloud computing network120. As illustrated in FIG. 6, the origin router 134 encapsulates the IPpacket 646 inside an outer GRE packet as shown in the encapsulatedpacket 648. The outer source and destination IP addresses of the outerGRE packet correspond to the GRE tunnel endpoints. Thus, the IP addressof the GRE endpoint of the origin router 134 (192.0.2.10) is the sourceIP address of the outer GRE packet, and the anycast IP address103.31.4.10 is the destination IP address of the outer GRE packet. Theorigin router 134 transmits the encapsulated packet 648 at operation 5.Since the destination IP address of the outer GRE packet is an anycastIP address (announced by each of the data centers 125A-N), the datacenter 125 that is closest to the origin router 134 (according to theanycast implementation) will receive the encapsulated packet 648. In theexample of FIG. 6, the data center 125N receives the encapsulated packet448 because it is the closest data center 125 of the distributed cloudcomputing network 120 to the origin router 134.

The data center 125N receives the encapsulated packet 648 anddecapsulates the packet (removing the outer GRE packet). For instance,the router of the data center 125N receives the encapsulated packet 648and sends it to one of the compute server(s) 128N for processing. Ifthere are multiple compute servers in the data center 125N, one of thecompute servers is selected (e.g., based on a load balancing algorithmor based on ECMP selection). The compute server 128N decapsulates theencapsulated packet 648 and processes the decapsulated packet. Since thedecapsulated packet has a destination IP address of the client device110) the data center 125N uses a visitor probability map (e.g., based onthe destination IP address) to determine that the ingress data centerfor the packet flow was likely data center 125A. To transmit thedecapsulated IP packet to the data center 125A, in an embodiment the IPpacket is encapsulated (e.g., using UDP) for transit between the datacenter 125N to the data center 125A. For instance, the compute server128N encapsulates the inner IP packet inside an outer UDP packet asillustrated in the encapsulated packet 650. The outer UDP packet has asource IP address of the compute server 128N and a destination IPaddress of the compute server 128A. The compute server 128N transmitsthe encapsulated packet 650 to the compute server 128A for furtherprocessing.

The compute server 128A of the data center 125A receives and processesthe encapsulated packet 650 including decapsulating the packet to revealthe inner IP packet. Since the compute server 128A sees thebidirectional flow of packets, the compute server 128A can performadditional layer 4 and/or layer 7 processing that it otherwise could notdo, such as layer 7 filtering including packet inspection to look at thecontent of the packets for inconsistencies, invalid or maliciouscommands, and/or executable programs; rewriting content; and adding TLS.Assuming that the compute server 128A within the data center 125Adetermines to transmit the packet to the client device 110, the computeserver 128A of the data center 125A transmits the IP packet 652 to theclient device 110 at operation 7.

Although FIG. 6 shows an embodiment where the origin router 134transmits outgoing IP packets over an overlay network over the publicinternet to the distributed cloud computing network 120, in anotherembodiment the origin router 134 performs direct server return. In thecase of FIG. 6, since the source IP address of the packet 444 is an IPaddress of the client device 110, the origin router 134 transmits thepacket directly to the client device 110 (e.g., over the publicinternet).

FIGS. 1, 4, and 6 describe embodiments where the origin network 130 isseparate from the distributed cloud computing network 120 and the originrouter 134 is accessible on the public internet. In another embodiment,a Private Network Interconnect (PNI) is established with the distributedcloud computing network 120. In this embodiment, the origin network 130is directly connected to one or more of the data centers 125A-N suchthat all traffic is delivered over that private interconnect rather thanover the public internet.

FIG. 7 shows an embodiment where a PNI is established between the originnetwork 130 and the compute server(s) 128A of the data center 125Aaccording to an embodiment. The PNI 710 is established between theorigin router 134 and a router of the data center 125A that is connectedto the compute server(s) 128A (the router of the data center 125A is notshown to not obscure understanding). The PNI 710 may be a physicalconnection (e.g., a fiber connection) that connects a port of the originrouter 134 to a port of the router of the data center 125A. Theequipment are typically within the same building. If a client deviceconnects to the data center that has the PNI connection to the originnetwork, traffic can be simply transmitted to the origin router.However, if a client device connects to a data center that does not havethe PNI connection to the origin network, then traffic is encapsulatedand transmitted to the data center that is connected to the PNIconnection to the origin network. The example shown in FIG. 7 is where aclient device connects to the data center that has a PNI connection tothe origin network.

At operation 1, the client device 110 (having an IP address of198.51.100.1) transmits the IP packet 740. The IP packet 740 is destinedto the origin server 132 (e.g., it has a destination IP address of203.0.113.1). The IP packet 740 may be like the IP packet 140. Like FIG.1, the data center 125A receives the IP packet 740 because it is theclosest data center 125 of the data centers 125A-N to the client device110 according to an Anycast implementation. The data center 125Aprocesses the IP packet 740. In an embodiment where the data center 125Aincludes multiple compute servers, the IP packet 740 is sent to one ofthose compute servers for processing like described in FIG. 1. Themultiple compute servers may form an equal-cost multi-path (ECMP) groupand a router of the data center 125A may determine which compute serverwill process the IP packet 740. The processing may include performingone or more performance and/or one or more security services aspreviously described.

The data center 125A has a PNI with the origin network 130. Accordingly,if the compute server 128A determines to transmit the packet to theorigin network 130, it may do so directly. Thus, at operation 2, thecompute server 128A transmits the IP packet 742 to the origin network130 over the PNI 710. The IP packet 742 may include as its source IPaddress the IP address of the client device 110 or the IP address of thecompute server 128A. The origin router 134 receives the packet 742 andforwards the packet to the origin server 132. The origin server 132processes the packet and may transmit a return IP packet 744 that isforwarded by the origin router 134 over the PNI 710 at operation 3. Thecompute server 128A receives and processes the return packet 744 whichmay include performing one or more performance and/or one or moresecurity services as previously described. Assuming that the computeserver 128A within the data center 125A determines to transmit thepacket to the client device 110, the compute server 128A transmits theIP packet 746 to the client device 110 at operation 4. Although FIG. 7illustrates the packets 742 and 744 being transmitted without anadditional IP encapsulation layer, in some embodiments the packets 742and 744 are further encapsulated (e.g, UDP encapsulated, GREencapsulated, etc.).

FIG. 8 shows an embodiment where a PNI is established between the originnetwork 130 and the compute server(s) 128A of the data center 125Aaccording to an embodiment. In the example of FIG. 8, a packet isreceived from a client device at a data center 125 that does not have aPNI connection to the origin network. At operation 1, the client device810 (having an IP address of 198.51.100.2) transmits the IP packet 840.The IP packet 840 is destined to the origin server 132 (e.g., it has adestination IP address of 203.0.113.1). The IP packet 840 may be likethe IP packet 140. The data center 125N receives the IP packet 840because it is the closest data center 125 of the data centers 125A-N tothe client device 810 according to an Anycast implementation. The datacenter 125N processes the IP packet 840. In an embodiment where the datacenter 125N includes multiple compute servers, the IP packet 840 is sentto one of those compute servers for processing like described in FIG. 1.The multiple compute servers may form an equal-cost multi-path (ECMP)group and a router of the data center 125N may determine which computeserver will process the IP packet 840. The processing may includeperforming one or more performance and/or one or more security servicesas previously described. Since the data center 125N does not have a PNIconnection to the origin network 130, the packet is encapsulated andtransmitted to the data center 125A for transmission to the originnetwork 130 over the PNI 710.

In an embodiment, the compute server 128A and the compute server 128Nhave a tunnel 815 that allows traffic to be tunneled between them. Forinstance, the compute server 128N may lookup the destination IP addressof the packet (which in this case is an IP address of the origin server132) in a routing table and see a next hop for that destination IPaddress to be of the compute server 128A. The compute server 128N mayencapsulate the packet (e.g., in UDP) and transmit the encapsulatedpacket to the next hop. As shown in FIG. 8, the compute server transmitsthe encapsulated packet 842 to the compute server 128A. The encapsulatedpacket 842 includes an outer packet where the outer source anddestination IP address correspond to tunnel endpoints between thecompute server(s) 128N and 128A. Other encapsulation techniques may beused to transmit the packet between compute servers.

The compute server 128A receives and processes the encapsulated packet842 including decapsulating the packet. The processing may includeperforming one or more performance and/or one or more security servicesas previously described. The data center 125A has a PNI with the originnetwork 130. Accordingly, if the compute server 128A determines totransmit the packet to the origin network 130, it may do so directly.Thus, at operation 3, the compute server 128A transmits the IP packet844 to the origin network 130 over the PNI 710. The origin router 134receives the packet 844 and forwards the packet to the origin server132. The origin server 132 processes the packet and may transmit areturn IP packet 846 that is forwarded by the origin router 134 over thePNI 710 at operation 4. The compute server 128A receives and processesthe return packet 846 which may include performing one or moreperformance and/or one or more security services as previouslydescribed. The compute server 128A may transmit the packet directly tothe client device 810 or may transmit the packet to the data center 125Nfor transmission to the client device 810. In the example of FIG. 8, thecompute server 128A generates the encapsulated packet 848 and transmitsthe encapsulated packet 848 over the tunnel 815 to the compute server128N at operation 5. The compute server 128N receives and processes thepacket including decapsulating the encapsulated packet 848. The computeserver 128N may perform other processing on the packet includingperforming one or more performance and/or one or more security servicesas previously described. Assuming that the compute server 128Ndetermines to transmit the packet to the client device 810, the computeserver 128N transmits the IP packet 850 to the client device 810 atoperation 6. Although FIG. 8 illustrates the packets 844 and 846 beingtransmitted without an additional IP encapsulation layer, in someembodiments the packets 844 and 846 are further encapsulated (e.g, UDPencapsulated, GRE encapsulated, etc.).

FIG. 9 is a flow diagram that illustrates exemplary operations for anetwork layer performance and security service provided by a distributedcloud computing network according to an embodiment. The operations ofFIG. 9 are described with reference to the exemplary embodiment of FIGS.7 and 8. However, the operations of FIG. 9 can be performed byembodiments other than those discussed with reference to FIGS. 7 and 8,and the embodiments discussed with reference to FIGS. 7 and 8 canperform operations different than those discussed with reference to FIG.9.

At operation 905, an IP packet is received from a client device at afirst data center 125A of the data centers 125A-N. The IP packet isdestined to an IP address that belongs to an origin server. Each of thedata centers 125A-N advertise the IP address (or IP address prefix thatincludes the IP address) as an anycast IP address instead of that IPaddress being advertised by the origin server. This causes IP packetsdestined to that IP address to be instead received at one of the datacenters 125A-N. The first data center 125A receives the IP packet as aresult of an anycast determination that the first data center 125A isclosest to the client device out of the data centers 125A-N.

Next, at operation 910, the received IP packet is processed by a computeserver 128A of the first data center 125A. In an embodiment, processingthe received IP packet includes performing one or more performanceservices and/or one or more security services as previously described.In an embodiment, the compute server 128A dynamically determines whichone or more performance services and/or one or more security services toperform based on information of, or associated with, the IP packet. Forinstance, a customer may configure which service(s) to apply to which IPaddress(es) and/or type of IP packet received. The compute server 128Aaccesses this configuration to determine if and what service(s) to applyto the received packet. Processing the received IP packet may determinethat bidirectional flow processing is desired (e.g., the same computeserver processing the ingress and egress). The compute server 128A mayterminate the TCP/UDP connection with the client device and establish aTCP/UDP connection with the origin network 130. The processing of thepacket may be done in multiple stages, as is further described in FIG.11 for instance.

If it is determined to transmit the IP packet to the origin network,then operation 915 is performed. At operation 915, the compute server128A determines if the destination is connected to one of the datacenters 125A-N through a private network interconnect (PNI). Forinstance, the compute server 128A may use the destination IP address ofthe received IP packet to lookup whether the origin network is connectedto one of the data centers 125A-N through a PNI and which one or moredata centers 125A-N (if any) is connected through PNI. If thedestination is not connected to one of the data centers 125A-N through aPNI, then operations starting at operation 515 of FIG. 5 are performed.If the destination is connected to one of the data centers 125A-N, thenoperation 920 is performed to determine which data center 125 isconnected to the destination through a PNI.

If the data center that is connected with the origin network through aPNI is this data center (e.g., the data center 125A), then the packetcan be sent to the origin router 134 directly through the PNIconnection. Thus, at operation 950, the compute server 128A transmitsthe IP packet to the origin server 132 (though the origin router 134)using the PNI connection. The origin network will process the IP packetand may transmit a reply packet. Next, at operation 955, the computeserver 128A of the data center 125A receives a reply packet from theorigin server 132 (through the origin router 134) through the PNIconnection. The compute server 128A may process the reply packetincluding performing or more performance services and/or one or moresecurity services before transmitting the reply packet to the clientdevice. Next, at operation 960, the compute server 128A transmits thereply IP packet to the client device 110.

If the data center that is connected with the origin network is adifferent data center (a second one of the data centers 125B-N), theoperation 930 is performed. At operation 930, the first data center 125Agenerates an encapsulated IP packet that uses IP as the transportprotocol to transmit the processed IP packet from the client device tothe second data center that is connected to the origin network over aPNI connection. By way of example, the encapsulation protocol may beUDP, GRE, IP in IP, IPSec, L2TP, VXLAN, or other encapsulation. The IPheader of the outer packet has a destination IP address of the seconddata center that is connected to the origin network over the PNIconnection. The source IP address of the outer packet may be the IPaddress of the first data center. The source IP address of the innerpacket may be the IP address of the client device or may be changed toan IP address of the data center (e.g., the anycast IP address of theorigin prefix advertised by the data centers). Next, at operation 925,the first data center transmits the encapsulated IP packet to the seconddata center. The second data center receives and processes theencapsulated IP packet including decapsulating the encapsulated IPpacket to reveal the processed IP packet. The second data center mayfurther process the IP packet including performing one or moreperformance and/or one or more security services as previouslydescribed. Assuming that the second data center determines to transmitthe IP packet to the origin, the second data center transmits theencapsulated IP packet to the origin over the PNI connection atoperation 935. The origin network will process the IP packet and maytransmit a reply packet over the PNI connection that is received by thesecond data center. The second data center processes the reply packetincluding performing one or more performance and/or one or more securityservices as previously described. Assuming that the second data centerdetermines to transmit the IP packet toward the client device, thesecond data center generates an encapsulated IP packet that uses IP asthe transport protocol to transmit the processed reply packet from thesecond data center to the first data center. Thus, at operation 940, thefirst data center receives and processes the encapsulated IP packet fromthe second data center including decapsulating the IP packet to revealthe reply IP packet. The first data center may further process the replyIP packet including performing one or more performance and/or one ormore security services as previously described. Assuming that the firstdata center determines to transmit the processed reply IP packet to theclient device, at operation 960, the compute server 128A transmits thereply IP packet to the client device 110.

FIG. 10 is a flow diagram that illustrates exemplary operations for anetwork layer performance and security service provided by a distributedcloud computing network according to an embodiment. The operations ofFIG. 10 are described with reference to the exemplary embodiment of FIG.6. However, the operations of FIG. 10 can be performed by embodimentsother than those discussed with reference to FIG. 6, and the embodimentsdiscussed with reference to FIG. 6 can perform operations different thanthose discussed with reference to FIG. 10.

At operation 1005, an IP packet is received from a client device at afirst data center 125A of the data centers 125A-N. The IP packet isdestined to an IP address that belongs to an origin server. Each of thedata centers 125A-N advertise the IP address (or IP address prefix thatincludes the IP address) as an anycast IP address instead of that IPaddress being advertised by the origin server. This causes IP packetsdestined to that IP address to be instead received at one of the datacenters 125A-N. The first data center 125A receives the IP packet as aresult of an anycast determination that the first data center 125A isclosest to the client device out of the data centers 125A-N.

Next, at operation 1010, the received IP packet is processed by acompute server 128A of the first data center 125A. In an embodiment,processing the received IP packet includes performing one or moreperformance services and/or one or more security services as previouslydescribed. In an embodiment, the compute server 128A dynamicallydetermines which one or more performance services and/or one or moresecurity services to perform based on information of, or associatedwith, the IP packet. For instance, a customer may configure whichservice(s) to apply to which IP address(es) and/or type of IP packetreceived. The compute server 128A accesses this configuration todetermine if and what service(s) to apply to the received packet.Processing the received IP packet may determine that bidirectional flowprocessing is desired (e.g., the same compute server processing theingress and egress). The compute server 128A may terminate the TCP/UDPconnection with the client device and establish a TCP/UDP connectionwith the origin network 130. The processing of the packet may be done inmultiple stages, as is further described in FIG. 11 for instance.

If it is determined to transmit the IP packet to the origin network,then operation 1015 is performed. At operation 1015, the compute server128A generates an encapsulated IP packet that uses IP as the transportprotocol. In a specific example, the encapsulated IP packet is a GREencapsulated IP packet. The inner packet of the encapsulated IP packetis the result of the processed IP packet and the source IP address is ofthe client device. The outer packet of the encapsulated IP packet has asource IP address that is an anycast IP address advertised by each ofthe compute server(s) 128A-N at each of the data centers 125A-N and canbe used as a tunneling endpoint on each of the compute server(s) 128A-N.The outer packet of the encapsulated IP packet as a destination IPaddress of an IP address of the origin router 134 (e.g., a publiclyroutable IP address of the origin router 134).

Next, at operation 1020, the compute server 128A transmits theencapsulated IP packet to the IP address of the origin router 134. Atoperation 1025, the origin router 134 of the origin network 130 receivesand decapsulates the encapsulated IP packet. The origin router 134transmits the inner packet to the origin server 132 for furtherprocessing. The origin server 132 processes the inner packet and mayrespond with a reply packet. The reply packet is received at the originrouter 134. At operation 1030, the IP packet is processed includinggenerating an encapsulated IP packet that uses IP as the transportprotocol (e.g., a GRE encapsulated IP packet). The inner packet of theencapsulated IP packet is the reply packet from the origin server 132.The inner packet has a source IP address of the origin server 132. Theinner packet has a destination IP address of the client device 110. Theouter packet of the encapsulated reply IP packet has a source IP addressof the origin router 134 (the tunnel endpoint address of the originrouter 134) and has a destination IP address of the anycast IP address(the tunnel endpoint address of the compute server(s) 128A-N. Next, atoperation 1032, the encapsulated IP packet is transmitted to the anycastIP address of the compute server(s) 128A-N.

As previously described, since the tunnel endpoint for the computeserver(s) 128A-N is an anycast IP address, the particular data center125 of the data centers 125A-N that receives the encapsulated return IPpacket at the tunnel endpoint is the one closest to the origin router134 according to an anycast implementation as determined by the networkinfrastructure between the origin router 134 and the data centers125A-N. The operations in FIG. 10 describe this situation. Thus, atoperation 1035, the encapsulated return IP packet is received at asecond data center 125N out of the data centers 125A-N. This return IPpacket is received at the data center 125N as a result of an anycastimplementation determination that the data center 125N is closest to theorigin network 130 out of the data centers 125A-N. A compute server 128Nof the data center 125N decapsulates the encapsulated IP packetrevealing the inner IP packet (the reply packet from the origin server132).

Next, at operation 1040, the compute server 128N determines, based onthe destination IP address of the reply packet (which is the IP addressof the client device 110), which of the data centers 125A-N was likelythe ingress data center for the packet flow (e.g., has the highestprobability according to a visitor probability map). For instance, thecompute server 128N uses a visibility probability map (e.g., keyed bythe destination IP address of the reply packet) to determine which ofthe data centers 125A-N was likely the ingress data center for thepacket flow (the data center that received the IP packet from the clientdevice). In an embodiment, the compute server 128N selects the datacenter that has the highest probability. In another embodiment, thecompute server 128N selects the data center that has the highestprobability of those that exceed a threshold. Next, at operation 1045,the compute server 128N determines if it is the data center that was thelikely ingress for the packet flow (e.g., if it has the highestprobability according to the visitor probability map). If it is, thenoperation 1050 is performed where the compute server 128N processes thereply packet (which may include performing one or more performanceservices and/or one or more security services as previously described)and transmits the reply packet to the client device 110. If the datacenter 125N is not the likely ingress data center for the packet flow,then operation 1055 is performed.

At operation 1055, the compute server 128N generates and transmits anencapsulated IP packet to the data center that is likely the ingressdata center for the packet flow. In this example, the data center 125Ais the likely ingress data center for the packet flow. The computeserver 128N encapsulates the inner IP packet, which includes the replypacket, inside an outer packet (e.g., an outer UDP packet) asillustrated in the encapsulated packet 650. The outer packet has asource IP address of the compute server 128N and a destination IPaddress of the compute server 128A. The inner packet has a source IPaddress of the origin server 132 and a destination IP address of theclient device 110.

At operation 1060, a compute server 128A of the data center 125Areceives the encapsulated packet sent from the compute server 128N anddecapsulates the encapsulated IP packet to reveal the reply IP packet.The compute server 128N then, at operation 1065, processes the replypacket, which may include performing one or more performance servicesand/or one or more security services as previously described, andassuming that it decides to transmit the reply to the client device,transmits the reply packet to the client device 110.

FIG. 11 shows a packet flow through a compute server 128 according to anembodiment. The packet flow shown in FIG. 11 is for an IP packetreceived from a client device such as the client device 110 and destinedto an origin network such as the origin network 130. For instance, thepacket flow of FIG. 11 may be processed by the compute server 128A ofthe data center 125A. The IP packet 1180 is received at an interface1110 at operation 1, which may be an ext0 interface. The interface 1110is shown twice in FIG. 11, once for incoming packet and once for anoutgoing packet. The IP packet 1180 may be like the packet 140. Atoperation 2, the packet flows through the DDoS mitigation module 1115where DDoS mitigation occurs. Assuming that the packet is not dropped,next at operation 3, a higher layer decision process 1117 is performedto determine and dispatch packets that will be processed with higherlayer processing (e.g., L4 and/or L7 processing). For instance, thehigher layer decision process 1117 may match the destination IP addressand port of the IP packet as one eligible for higher layer processing.If higher layer processing is determined, the higher layer decisionprocess 1117 dispatches the packet to one or more higher layerprocessing modules 1118 to perform the higher layer processing atoperation 4 b. The higher layer processing module(s) 1118 may include aprocessing module for layer 4 (e.g., TCP/UDP), and/or a processingmodule for layer 7 (e.g., HTTP/S). A packet that has been determined tobe transmitted to the origin network (leaving the higher layerprocessing module(s) 1118) are marked in the output packet marking chain1119, and then are treated like non-higher layer processing packets. Ifthe packet is not to be processed with higher layer processing, then atoperation 4 a the packet is marked by the prerouting packet markingmodule 1120 to indicate that the packet is destined for the originnetwork 130. Next, at operation 5, the packet is processed at therouting table 1122 (e.g., in the default namespace). A routing rule inthe routing table 1122 specifies that marked packets are to use the L3routing table 1125 at operation 6. The L3 routing table 1125 maps originprefixes to the appropriate virtual interface for the origin namespace1170. In this case, the L3 routing table 1125 has been configured with anext hop of the virtual interface 1140 for the origin's IP prefix. Thepacket exists the network stack on the virtual interface 1140 atoperation 7 and then is inserted into the network stack inside theorigin namespace 1170 via the virtual interface 1145. The packet thenflows through the origin L3 firewall module 1155 at operation 8. Theorigin L3 firewall module 1155 is configured with firewall rulesconfigured by or for the origin. Assuming that the packet is notfiltered by the origin L3 firewall module 1155 and it is determined tosend the packet to the origin network, the packet is processed with theorigin L3 routing table 1160 at operation 9. The origin L3 routing table1160 is configured based on BGP advertisements from the origin network.In this case, the origin L3 routing table 1160 indicates that the nexthop is the GRE interface 1150 and the packet is transmitted to the GREinterface 1150 at operation 10. The GRE interface 1150 encapsulates theIP packet inside an outer GRE packet according to the configuration ofthe GRE interface 1150. For instance, with respect to FIG. 1, the outerGRE packet includes a source IP address of a GRE endpoint of the computeserver 128A and a destination IP address of the GRE endpoint of theorigin router 134. As previously described, the IP address of the GREendpoint of the compute server 128A may be an anycast IP address that isalso advertised by the other compute servers of the data centers 125A-N.The packet is now GRE encapsulated and is inserted back at the top ofthe network stack by the GRE interface 1150. The GRE encapsulated packetis then sent to the origin L3 firewall module 1155 at operation 11 forfurther processing (or directly to the origin L3 routing table 1160).Assuming the GRE encapsulated packet is not filtered by the origin L3firewall module 1155 and it is determined to send the GRE encapsulatedpacket to the origin network, the GRE encapsulated packet is processedwith the origin L3 routing table 1160 at operation 12. The origin L3routing table is configured with a default route of a next hop of thevirtual interface 1145 and sent to the virtual interface 1145 atoperation 13. The GRE encapsulated packet exits the origin namespace1170 and is inserted into the top of the network stack in the defaultnamespace by the virtual interface 1140 at operation 14. The GREencapsulated packet is processed using the routing table 1122 atoperation 15 that indicates it should be sent out through the interface1110 at operation 16. The GRE encapsulated packet 1185 exits theinterface 1110 and sent to the origin router 134 at operation 17.

FIG. 12 shows a packet flow through a compute server 128 according to anembodiment. The packet flow shown in FIG. 12 is for a GRE-encapsulatedpacket received at the compute server 128 (e.g., from an origin router134). For instance, the packet flow of FIG. 12 may be processed by thecompute server 128N of the data center 125N. The GRE-encapsulated packet1280 is received at an interface 1110 at operation 1, which may be anext0 interface. The interface 1110 is shown twice in FIG. 12, once foran incoming packet and once for an outgoing packet. The GRE encapsulatedpacket 1280 may be like the packet 148. At operation 2, the packet flowsthrough the DDoS mitigation module 1115 where DDoS mitigation occurs.Assuming that the packet is not dropped, next at operation 3, a higherlayer decision process 1117 is performed to determine and dispatchpackets that will be processed with higher layer processing (e.g., L4and/or L7 processing). For instance, the higher layer decision process1117 may match the destination IP address and port of the IP packet asone eligible for higher layer processing. If higher layer processing isdetermined, the higher layer decision process 1117 dispatches the packetto one or more higher layer processing modules 1118 to perform thehigher layer processing at operation 4 b. The higher layer processingmodule(s) 1118 may include a processing module for layer 4 (e.g.,TCP/UDP), and/or a processing module for layer 7 (e.g., HTTP/S). Apacket that has been determined to be transmitted to the client device110 are marked in the output packing marking chain 1119 and then aretreated like non-higher layer processing packets. If the packet is notto be processed with higher layer processing, then at operation 4 a thepacket is marked by the prerouting packet marking module 1120 toindicate that the packet is destined for the client device 110. Next, atoperation 5, the packet is processed at the routing table 1122 (e.g., inthe default namespace). A routing rule in the routing table 1122specifies that packets destined by an anycast GRE prefix are to use theGRE routing table 1130 assigned to the virtual interface for theorigin's namespace, at operation 6 In this case, the GRE routing table1130 is configured with a next hop of the virtual interface 1140 for thespecific destination address of the GRE-encapsulated packet. The packetexists the network stack on the virtual interface 1140 at operation 7and then is inserted into the network stack inside the origin namespace1170 via the virtual interface 1145. The packet then flows through theorigin L3 firewall module 1155 at operation 8. The origin L3 firewallmodule 1155 is configured with firewall rules configured by or for theorigin. Assuming that the packet is not filtered by the origin L3firewall module 1155 and it is determined to send the packet to theclient device, the packet is processed with the origin L3 routing table1160 at operation 9. The origin L3 routing table 1160 is configuredbased on BGP advertisements from the origin network. In this case, theorigin L3 routing table 1160 indicates that the next hop is the GREinterface 1150 and the packet is transmitted to the GRE interface 1150at operation 10. The GRE interface 1150 decapsulates theGRE-encapsulated packet to reveal the inner IP packet. The IP packet isinserted back at the top of the network stack by the GRE interface 1150.The IP packet is then sent to the origin L3 firewall module 1155 atoperation 11 for further processing. Assuming the IP packet is notfiltered by the origin L3 firewall module 1155 and it is determined tosend the IP packet to the client device, the IP packet is processed withthe origin L3 routing table 1160 at operation 12. The origin L3 routingtable is configured with a default route of a next hop of the virtualinterface 1145 and sent to the virtual interface 1145 at operation 13.The IP packet exits the origin namespace 1170 and is inserted into thetop of the network stack in the default namespace by the virtualinterface 1140 at operation 14. The IP packet is processed using therouting table 1122 at operation 15 that indicates it should be sent outthrough the interface 1110 at operation 16. The IP packet 1282 exits theinterface 1110 and sent to the destination at operation 17. In caseswhere the compute server 128 transmits an encapsulated packet to anotherdata center for further processing (e.g., the compute server 128Ntransmitting the encapsulated packet 650 to the compute server 128A, thecompute server 128N transmitting the encapsulated packet 848 to thecompute server 128A), the routing table 1122 in operation 15 mayindicate a next hope of an interface to encapsulate the packet fortransmission to a different data center.

Embodiments have been described where IP packets are sent in a tunnel(e.g., GRE) to the origin network over the public internet. The route inwhich the IP packets (e.g., from the initial encapsulating data centerto the origin network) may be determined by conventional routingprotocols such as standard BGP, or in some embodiments, intelligentlyrouted through one or more intermediary data centers intermediary datacenters based on a set of factor(s) such as latency, speed, reliability,and or cost. For instance, in an embodiment, one of the performanceand/or security services that can be performed is intelligently routingthe IP packet to an origin network and/or intelligently routing the IPpacket from an origin network to the client device.

FIG. 13 illustrates an example of IP packets intelligently routedaccording to an embodiment. IP traffic may traverse the internet betweenthe data centers 125A-N. There may be multiple network providers thatprovide transit connections between the data centers 125A-N. Thedifferent transit connections may have different properties (e.g.,different performance characteristics such as latency, speed, and/orreliability; and cost). An optimized route between the entry data centerand the exit data center may be determined and used. The entry datacenter is the data center that initially receives the IP traffic and theexit data center is the data center that is connected with the originnetwork (e.g., with a tunnel such as a GRE tunnel as described herein).

For instance, with respect to FIG. 13, the data center 125A is the entrydata center (it receives the IP traffic from the client device 1310) andthe data center 125N is the exit data center (it is the last data centerof the data centers 125A-N to the origin network 130) of the optimizedroute. The optimized route may be based on a set of factors such aslatency, speed, reliability, and/or cost, for each of the transitconnections. The optimized route may not be the same as the route takenby conventional routing protocols such as standard BGP. For instance,FIG. 13 illustrates a nonoptimized route 1362 from the data center 125A(the entry data center) going through the hops (internet nodes) 1314 to1316 of the public network 1368 (e.g., the public internet) to theorigin network 130. As illustrated in FIG. 13, the IP traffic for thenonoptimized route is carried through the GRE tunnel 1330 from the datacenter 125A to the origin network 130, traversing the hops 1314 and1316. The nonoptimized route 1362 may be determined based onconventional routing protocols such as standard BGP. By way of example,with reference to FIG. 1, the packet 142 may traverse from the datacenter 125A to the origin network 130 over a nonoptimized route likethat of the nonoptimized route 1362.

FIG. 13 also illustrates the optimized route 1355 that goes from thedata center 125A to the data center 125B to the data center 125C to thedata center 125N to the origin network 130. Not all of the data centers125A-N are necessarily part of the optimized route. For instance, thedata centers 125D-E are not part of the optimized route. In anembodiment, the IP packets are encapsulated (e.g., using UDP) fortransit between the data centers on the optimized route and includeinformation that aids in routing.

In an embodiment, the encapsulating header includes the full path the IPpacket should traverse through the distributed cloud computing network120. The full path can be encoded as a list of hops where each hop is anidentifier of a data center 125 (e.g., not a full IP address). In thisembodiment, the entry data center 125 determines the full path (e.g.,looks up the path in optimized route storage based on the destinationaddress) and encodes the full path in the encapsulating header. Eachintermediate data center 125 can then use the path encoded in theencapsulating header to route the IP traffic instead of accessing theoptimized route storage to determine the next hop.

In an embodiment, the encapsulating header includes a hash or identifierof the full path that is stored in optimized route storage on each ofthe data centers 125A-N that is keyed by the hash or identifier. In suchan embodiment, the entry data center 125 determines the full path (e.g.,looks up the path in optimized route storage based on the destinationaddress) and encodes the hash or identifier in the encapsulating header.Each intermediate data center can then use the encoded hash oridentifier to determine the path.

In an embodiment, the encapsulating header includes a hash or otheridentifier that represents a specific routing policy (e.g., stored inoptimized route storage) that is used for the optimized route. Forinstance, a routing policy may be: fastest by latency, lowest jitter,lowest packet loss, cheapest by bandwidth, data sovereignty policies(e.g., don't route through a particular geographic region), etc. In suchan embodiment, the entry data center 125 determines the routing policyto apply (e.g., looks up the routing policy in the optimized routestorage based on the destination address and/or source address), andincludes the hash or other identifier in the metadata of theencapsulating header. This allows each data center of the optimizedroute to consistently apply the same routing polic(ies).

In an embodiment, the encapsulating header includes a hash or otheridentifier of the origin network 130 (e.g., a hash or other identifierof the IP address of the origin server 132 and/or origin router 134).For instance, in some embodiments, the IP packet is encrypted (includingthe source and destination IP address). Each data center 125 coulddecrypt the packet to determine the destination IP address. However,since decrypting/encrypting can be expensive, the hash or otheridentifier can be used to lookup the next hop without having to decryptthe encrypted payload.

As illustrated in FIG. 13, a tunnel 1364 is established between the datacenters 125A and 125B (e.g., the UDP tunnel 1364), a tunnel 1366 isestablished between the data centers 125B and 125C (e.g., the UDP tunnel1366), and a tunnel 1368 is established between the data centers 125Cand 125N (e.g., the UDP tunnel 1368). Since the data center 125N is theexit data center, it transmits the IP packets over the GRE tunnel 1370to the origin network 130.

FIG. 14 illustrates a block diagram for an exemplary data processingsystem 1400 that may be used in some embodiments. One or more such dataprocessing systems 1400 may be used to implement the embodiments andoperations described with respect to the compute servers or othercomputing devices. The data processing system 1400 is a computing devicethat stores and transmits (internally and/or with other computingdevices over a network) code (which is composed of software instructionsand which is sometimes referred to as computer program code or acomputer program) and/or data using machine-readable media (also calledcomputer-readable media), such as machine-readable storage media 1410(e.g., magnetic disks, optical disks, read only memory (ROM), flashmemory devices, phase change memory) and machine-readable transmissionmedia (also called a carrier) (e.g., electrical, optical, radio,acoustical or other form of propagated signals—such as carrier waves,infrared signals), which is coupled to the processing system 1420 (e.g.,one or more processors and connected system components such as multipleconnected chips). For example, the depicted machine-readable storagemedia 1410 may store program code 1430 that, when executed by theprocessor(s) 1420, causes the data processing system 1400 to perform anyof the operations described herein.

The data processing system 1400 also includes one or more networkinterfaces 1440 (e.g., a wired and/or wireless interfaces) that allowsthe data processing system 1400 to transmit data and receive data fromother computing devices, typically across one or more networks (e.g.,Local Area Networks (LANs), the Internet, etc.). The data processingsystem 1400 may also include one or more input or output (“I/O”)components 1450 such as a mouse, keypad, keyboard, a touch panel or amulti-touch input panel, camera, frame grabber, optical scanner, anaudio input/output subsystem (which may include a microphone and/or aspeaker), other known I/O devices or a combination of such I/O devices.Additional components, not shown, may also be part of the system 1400,and, in certain embodiments, fewer components than that shown in One ormore buses may be used to interconnect the various components shown inFIG. 14.

The techniques shown in the figures can be implemented using code anddata stored and executed on one or more computing devices (e.g., acompute server, a client device, a router, an origin server). Suchcomputing devices store and communicate (internally and/or with othercomputing devices over a network) code and data using computer-readablemedia, such as non-transitory computer-readable storage media (e.g.,magnetic disks; optical disks; random access memory; read only memory;flash memory devices; phase-change memory) and transitorycomputer-readable communication media (e.g., electrical, optical,acoustical or other form of propagated signals—such as carrier waves,infrared signals, digital signals). In addition, such computing devicestypically include a set of one or more processors coupled to one or moreother components, such as one or more storage devices (non-transitorymachine-readable storage media), user input/output devices (e.g., akeyboard, a touchscreen, and/or a display), and network connections. Thecoupling of the set of processors and other components is typicallythrough one or more busses and bridges (also termed as bus controllers).Thus, the storage device of a given computing device typically storescode and/or data for execution on the set of one or more processors ofthat computing device. Of course, one or more parts of an embodiment ofthe invention may be implemented using different combinations ofsoftware, firmware, and/or hardware.

In the preceding description, numerous specific details are set forth inorder to provide a more thorough understanding of the presentembodiments. It will be appreciated, however, by one skilled in the artthat the invention may be practiced without such specific details. Inother instances, control structures, gate level circuits and fullsoftware instruction sequences have not been shown in detail in ordernot to obscure understanding of the embodiments. Those of ordinary skillin the art, with the included descriptions, will be able to implementappropriate functionality without undue experimentation.

References in the specification to “one embodiment,” “an embodiment,”“an example embodiment,” etc., indicate that the embodiment describedmay include a particular feature, structure, or characteristic, butevery embodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same embodiment. Further, when a particular feature,structure, or characteristic is described in connection with anembodiment, it is submitted that it is within the knowledge of oneskilled in the art to affect such feature, structure, or characteristicin connection with other embodiments whether or not explicitlydescribed.

Bracketed text and blocks with dashed borders (e.g., large dashes, smalldashes, dot-dash, and dots) may be used herein to illustrate optionaloperations that add additional features to embodiments of the invention.However, such notation should not be taken to mean that these are theonly options or optional operations, and/or that blocks with solidborders are not optional in certain embodiments of the invention.

While the flow diagrams in the figures show a particular order ofoperations performed by certain embodiments of the invention, it shouldbe understood that such order is exemplary (e.g., alternativeembodiments may perform the operations in a different order, combinecertain operations, overlap certain operations, etc.).

While the invention has been described in terms of several embodiments,those skilled in the art will recognize that the invention is notlimited to the embodiments described, can be practiced with modificationand alteration within the spirit and scope of the appended claims. Thedescription is thus to be regarded as illustrative instead of limiting.

What is claimed is:
 1. A method in a distributed cloud computing networkthat includes a plurality of computing devices, the method comprising:configuring a Generic Routing Encapsulation (GRE) tunnel between theplurality of computing devices of the distributed cloud computingnetwork and a single origin router of an origin network, wherein the GREtunnel between each computing device and the single origin router has afirst GRE endpoint that has a same first IP address and a second GREendpoint that has a second IP address that is a publicly routable IPaddress of the single origin router; receiving, from a first clientdevice, a first IP packet at a first one of the plurality of computingdevices, wherein the received first IP packet has a first source IPaddress and a first destination IP address, wherein the first source IPaddress is a third IP address of the client device, wherein the firstdestination IP address is a fourth IP address of an origin server of theorigin network, wherein the fourth IP address is advertised as a firstanycast IP address at the distributed cloud computing network;processing the received first IP packet at the first computing device;encapsulating the processed first IP packet inside a first outer packetto generate a first GRE encapsulated packet, wherein the first outerpacket has a second source IP address and a second destination IPaddress, wherein the second source IP address is the first IP address,and wherein the second destination IP address is the second IP address;and transmitting the first GRE encapsulated packet over the GRE tunnelto the second IP address of the single origin router.
 2. The method ofclaim 1, wherein processing the received first IP packet at the firstcomputing device includes performing a distributed denial of service(DDoS) mitigation on the first IP packet.
 3. The method of claim 1,wherein the first IP address is a second anycast IP address.
 4. Themethod of claim 3, further comprising: wherein the second anycast IPaddress is advertised by each of the computing devices of thedistributed cloud computing network; receiving, at a second one of theplurality of computing devices over the GRE tunnel, a second GREencapsulated packet from the single origin router in response to thetransmitted first GRE encapsulated packet, the second GRE encapsulatedpacket having been directed to the second anycast IP address;processing, at the second computing device, the second GRE encapsulatedpacket including decapsulating the second GRE encapsulated packet toreveal a second IP packet, wherein the second IP packet has a thirdsource IP address and a third destination IP address, wherein the thirdsource IP address is the fourth IP address of the origin server, andwherein the third destination IP address is the third IP address of thefirst client device; and transmitting, by the second computing device,the second IP packet to the first client device.
 5. The method of claim3, further comprising: receiving, from a second client device, a secondIP packet at the first computing device, wherein the received second IPpacket has a third source IP address and a third destination IP address,wherein the third destination IP address is a fifth IP address of asecond origin server, wherein the fifth IP address is advertised as athird anycast IP address by the distributed cloud computing network, andwherein the third source IP address is a sixth IP address of the secondclient device; processing the received second IP packet at the firstcomputing device; encapsulating the processed second IP packet inside asecond outer packet to generate a second GRE encapsulated packet,wherein the second outer packet has a fourth source IP address and afourth destination IP address, wherein the second outer packet has thesecond anycast IP address as the fourth source IP address, wherein theouter packet has a seventh IP address of a second origin router for thesecond origin server as the fourth destination IP address; transmittingthe second GRE encapsulated packet over the GRE tunnel to the seventh IPaddress of the second origin router for the second origin server;receiving, at a second one of the plurality of computing devices overthe GRE tunnel, a third GRE encapsulated packet from the second originrouter in response to the transmitted second GRE encapsulated packet,the third GRE encapsulated packet being directed to the second anycastIP address; processing, at the second computing device, the third GREencapsulated packet including decapsulating the third GRE encapsulatedpacket to reveal a third IP packet, wherein the third IP packet has afifth source IP address and a fifth destination IP address, wherein thefifth source IP address is the fifth IP address of the second originserver, and wherein the fifth destination IP address is the sixth IPaddress of the second client device; determining, using a probabilitymap based on the fifth destination IP address, that an ingress for apacket flow of the third IP packet is the first computing device, andresponsive to this determining, transmitting the third IP packet fromthe second computing device to the first computing device; processing,at the first computing device, the third IP packet; and transmitting, bythe first computing device, the third IP packet to the second clientdevice.
 6. The method of claim 3, further comprising: receiving, from asecond client device, a second IP packet at the first computing device,wherein the received second IP packet has a third source IP address anda third destination IP address, wherein the third destination IP addressis a fifth IP address of a second origin server, wherein the fifth IPaddress is advertised as a third anycast IP address by the distributedcloud computing network, and wherein the third source IP address is asixth IP address of the second client device; processing the receivedsecond IP packet at the first computing device; modifying the processedsecond IP packet by changing the third source IP address of the receivedsecond IP packet to a seventh IP address of the first computing deviceto create a modified third IP packet; encapsulating the modified thirdIP packet inside a second outer packet to generate a second GREencapsulated packet, wherein the second outer packet has a fourth sourceIP address and a fourth destination IP address, wherein the second outerpacket has the second anycast IP address as the fourth source IPaddress, wherein the outer packet has an eighth IP address of a secondorigin router for the second origin server as the fourth destination IPaddress; transmitting the second GRE encapsulated packet over the GREtunnel to the eighth IP address of the second origin router for thesecond origin server; receiving, at a second one of the plurality ofcomputing devices over the GRE tunnel, a third GRE encapsulated packetfrom the second origin router in response to the transmitted second GREencapsulated packet, the third GRE encapsulated packet being directed tothe second anycast IP address; processing, at the second computingdevice, the third GRE encapsulated packet including decapsulating thethird GRE encapsulated packet to reveal a fourth IP packet, wherein thefourth IP packet has a fifth source IP address and a fifth destinationIP address, wherein the fifth source IP address is the fifth IP addressof the second origin server, and wherein the fifth destination IPaddress is the seventh IP address of the first computing device;transmitting the fourth IP packet from the second computing device tothe first computing device; processing, at the first computing device,the fourth IP packet; and transmitting, by the first computing device,the fourth IP packet to the second client device.
 7. The method of claim6, wherein processing the received second IP packet and processing thefourth IP packet include performing layer 4 and/or layer 7 processing.8. A non-transitory machine-readable storage medium that providesinstructions that, when executed by a processor, cause the processor toperform operations comprising: receiving, from a first client device, afirst IP packet at a first one of a plurality of computing devices of adistributed cloud computing network, wherein the received first IPpacket has a first source IP address and a first destination IP address,wherein the first source IP address is a first IP address of the clientdevice, wherein the first destination IP address is a second IP addressof an origin server of an origin network, wherein the second IP addressis advertised as a first anycast IP address at the distributed cloudcomputing network; processing the received first IP packet at the firstcomputing device; encapsulating the processed first IP packet inside afirst outer packet to generate a first GRE encapsulated packet, whereinthe first outer packet has a second source IP address and a seconddestination IP address, wherein the second source IP address is a thirdIP address assigned as a first Generic Routing Encapsulation (GRE)endpoint of a GRE tunnel that is configured on the first computingdevice and each of the other computing devices of the plurality ofcomputing devices, and wherein the second destination IP address is afourth IP address of a publicly routable IP address of a single originrouter of an origin network that is configured as a second GRE endpointof the GRE tunnel; and transmitting the first GRE encapsulated packetover the GRE tunnel to the fourth IP address of the single originrouter.
 9. The non-transitory machine-readable storage medium of claim8, wherein processing the received first IP packet at the firstcomputing device includes performing a distributed denial of service(DDoS) mitigation on the first IP packet.
 10. The non-transitorymachine-readable storage medium of claim 8, wherein the third IP addressis a second anycast IP address.
 11. The non-transitory machine-readablestorage medium of claim 10, wherein the operations further comprise:wherein the second anycast IP address is advertised by each of thecomputing devices of the distributed cloud computing network; receiving,at a second one of the plurality of computing devices over the GREtunnel, a second GRE encapsulated packet from the single origin routerin response to the transmitted first GRE encapsulated packet, the secondGRE encapsulated packet having been directed to the second anycast IPaddress; processing, at the second computing device, the second GREencapsulated packet including decapsulating the second GRE encapsulatedpacket to reveal a second IP packet, wherein the second IP packet has athird source IP address and a third destination IP address, wherein thethird source IP address is the second IP address of the origin server,and wherein the third destination IP address is the first IP address ofthe first client device; and transmitting, by the second computingdevice, the second IP packet to the first client device.
 12. Thenon-transitory machine-readable storage medium of claim 10, wherein theoperations further comprise: receiving, from a second client device, asecond IP packet at the first computing device, wherein the receivedsecond IP packet has a third source IP address and a third destinationIP address, wherein the third destination IP address is a fifth IPaddress of a second origin server, wherein the fifth IP address isadvertised as a third anycast IP address by the distributed cloudcomputing network, and wherein the third source IP address is a sixth IPaddress of the second client device; processing the received second IPpacket at the first computing device; encapsulating the processed secondIP packet inside a second outer packet to generate a second GREencapsulated packet, wherein the second outer packet has a fourth sourceIP address and a fourth destination IP address, wherein the second outerpacket has the second anycast IP address as the fourth source IPaddress, wherein the outer packet has a seventh IP address of a secondorigin router for the second origin server as the fourth destination IPaddress; transmitting the second GRE encapsulated packet over the GREtunnel to the seventh IP address of the second origin router for thesecond origin server; receiving, at a second one of the plurality ofcomputing devices over the GRE tunnel, a third GRE encapsulated packetfrom the second origin router in response to the transmitted second GREencapsulated packet, the third GRE encapsulated packet being directed tothe second anycast IP address; processing, at the second computingdevice, the third GRE encapsulated packet including decapsulating thethird GRE encapsulated packet to reveal a third IP packet, wherein thethird IP packet has a fifth source IP address and a fifth destination IPaddress, wherein the fifth source IP address is the fifth IP address ofthe second origin server, and wherein the fifth destination IP addressis the sixth IP address of the second client device; determining, usinga probability map based on the fifth destination IP address, that aningress for a packet flow of the third IP packet is the first computingdevice, and responsive to this determining, transmitting the third IPpacket from the second computing device to the first computing device;processing, at the first computing device, the third IP packet; andtransmitting, by the first computing device, the third IP packet to thesecond client device.
 13. The non-transitory machine-readable storagemedium of claim 10, wherein the operations further comprise: receiving,from a second client device, a second IP packet at the first computingdevice, wherein the received second IP packet has a third source IPaddress and a third destination IP address, wherein the thirddestination IP address is a fifth IP address of a second origin server,wherein the fifth IP address is advertised as a third anycast IP addressby the distributed cloud computing network, and wherein the third sourceIP address is a sixth IP address of the second client device; processingthe received second IP packet at the first computing device; modifyingthe processed second IP packet by changing the third source IP addressof the received second IP packet to a seventh IP address of the firstcomputing device to create a modified third IP packet; encapsulating themodified third IP packet inside a second outer packet to generate asecond GRE encapsulated packet, wherein the second outer packet has afourth source IP address and a fourth destination IP address, whereinthe second outer packet has the second anycast IP address as the fourthsource IP address, wherein the outer packet has an eighth IP address ofa second origin router for the second origin server as the fourthdestination IP address; transmitting the second GRE encapsulated packetover the GRE tunnel to the eighth IP address of the second origin routerfor the second origin server; receiving, at a second one of theplurality of computing devices over the GRE tunnel, a third GREencapsulated packet from the second origin router in response to thetransmitted second GRE encapsulated packet, the third GRE encapsulatedpacket being directed to the second anycast IP address; processing, atthe second computing device, the third GRE encapsulated packet includingdecapsulating the third GRE encapsulated packet to reveal a fourth IPpacket, wherein the fourth IP packet has a fifth source IP address and afifth destination IP address, wherein the fifth source IP address is thefifth IP address of the second origin server, and wherein the fifthdestination IP address is the seventh IP address of the first computingdevice; transmitting the fourth IP packet from the second computingdevice to the first computing device; processing, at the first computingdevice, the fourth IP packet; and transmitting, by the first computingdevice, the fourth IP packet to the second client device.
 14. Thenon-transitory machine-readable storage medium of claim 13, whereinprocessing the received second IP packet and processing the fourth IPpacket include performing layer 4 and/or layer 7 processing.
 15. A firstcomputing device of a plurality of computing devices of a distributedcloud computing network, the first computing device comprising: aprocessor; and a non-transitory machine-readable storage medium thatprovides instructions that, when executed by the processor, causes thefirst computing device to perform operations comprising: receiving, froma first client device, a first IP packet at the first computing device,wherein the received first IP packet has a first source IP address and afirst destination IP address, wherein the first source IP address is afirst IP address of the client device, wherein the first destination IPaddress is a second IP address of an origin server of an origin network,wherein the second IP address is advertised as a first anycast IPaddress at the distributed cloud computing network; processing thereceived first IP packet at the first computing device; encapsulatingthe processed first IP packet inside a first outer packet to generate afirst GRE encapsulated packet, wherein the first outer packet has asecond source IP address and a second destination IP address, whereinthe second source IP address is a third IP address assigned as a firstGeneric Routing Encapsulation (GRE) endpoint of a GRE tunnel that isconfigured on the first computing device and each of the other computingdevices of the plurality of computing devices, and wherein the seconddestination IP address a fourth IP address of a publicly routable IPaddress of a single origin router of an origin network that isconfigured as a second GRE endpoint of the GRE tunnel; and transmittingthe first GRE encapsulated packet over the GRE tunnel to the fourth IPaddress of the single origin router.
 16. The first computing device ofclaim 15, wherein processing the received first IP packet at the firstcomputing device includes performing a distributed denial of service(DDoS) mitigation on the first IP packet.
 17. The first computing deviceof claim 15, wherein the third IP address is a second anycast IPaddress.
 18. The first computing device of claim 17, wherein theoperations further comprise: wherein the second anycast IP address isadvertised by each of the computing devices of the distributed cloudcomputing network; receiving, at a second one of the plurality ofcomputing devices over the GRE tunnel, a second GRE encapsulated packetfrom the single origin router in response to the transmitted first GREencapsulated packet, the second GRE encapsulated packet having beendirected to the second anycast IP address; processing, at the secondcomputing device, the second GRE encapsulated packet includingdecapsulating the second GRE encapsulated packet to reveal a second IPpacket, wherein the second IP packet has a third source IP address and athird destination IP address, wherein the third source IP address is thesecond IP address of the origin server, and wherein the thirddestination IP address is the first IP address of the first clientdevice; and transmitting, by the second computing device, the second IPpacket to the first client device.
 19. The first computing device ofclaim 17, wherein the operations further comprise: receiving, from asecond client device, a second IP packet at the first computing device,wherein the received second IP packet has a third source IP address anda third destination IP address, wherein the third destination IP addressis a fifth IP address of a second origin server, wherein the fifth IPaddress is advertised as a third anycast IP address by the distributedcloud computing network, and wherein the third source IP address is asixth IP address of the second client device; processing the receivedsecond IP packet at the first computing device; encapsulating theprocessed second IP packet inside a second outer packet to generate asecond GRE encapsulated packet, wherein the second outer packet has afourth source IP address and a fourth destination IP address, whereinthe second outer packet has the second anycast IP address as the fourthsource IP address, wherein the outer packet has a seventh IP address ofa second origin router for the second origin server as the fourthdestination IP address; transmitting the second GRE encapsulated packetover the GRE tunnel to the seventh IP address of the second originrouter for the second origin server; receiving, at a second one of theplurality of computing devices over the GRE tunnel, a third GREencapsulated packet from the second origin router in response to thetransmitted second GRE encapsulated packet, the third GRE encapsulatedpacket being directed to the second anycast IP address; processing, atthe second computing device, the third GRE encapsulated packet includingdecapsulating the third GRE encapsulated packet to reveal a third IPpacket, wherein the third IP packet has a fifth source IP address and afifth destination IP address, wherein the fifth source IP address is thefifth IP address of the second origin server, and wherein the fifthdestination IP address is the sixth IP address of the second clientdevice; determining, using a probability map based on the fifthdestination IP address, that an ingress for a packet flow of the thirdIP packet is the first computing device, and responsive to thisdetermining, transmitting the third IP packet from the second computingdevice to the first computing device; processing, at the first computingdevice, the third IP packet; and transmitting, by the first computingdevice, the third IP packet to the second client device.
 20. The firstcomputing device of claim 17, wherein the operations further comprise:receiving, from a second client device, a second IP packet at the firstcomputing device, wherein the received second IP packet has a thirdsource IP address and a third destination IP address, wherein the thirddestination IP address is a fifth IP address of a second origin server,wherein the fifth IP address is advertised as a third anycast IP addressby the distributed cloud computing network, and wherein the third sourceIP address is a sixth IP address of the second client device; processingthe received second IP packet at the first computing device; modifyingthe processed second IP packet by changing the third source IP addressof the received second IP packet to a seventh IP address of the firstcomputing device to create a modified third IP packet; encapsulating themodified third IP packet inside a second outer packet to generate asecond GRE encapsulated packet, wherein the second outer packet has afourth source IP address and a fourth destination IP address, whereinthe second outer packet has the second anycast IP address as the fourthsource IP address, wherein the outer packet has an eighth IP address ofa second origin router for the second origin server as the fourthdestination IP address; transmitting the second GRE encapsulated packetover the GRE tunnel to the eighth IP address of the second origin routerfor the second origin server; receiving, at a second one of theplurality of computing devices over the GRE tunnel, a third GREencapsulated packet from the second origin router in response to thetransmitted second GRE encapsulated packet, the third GRE encapsulatedpacket being directed to the second anycast IP address; processing, atthe second computing device, the third GRE encapsulated packet includingdecapsulating the third GRE encapsulated packet to reveal a fourth IPpacket, wherein the fourth IP packet has a fifth source IP address and afifth destination IP address, wherein the fifth source IP address is thefifth IP address of the second origin server, and wherein the fifthdestination IP address is the seventh IP address of the first computingdevice; transmitting the fourth IP packet from the second computingdevice to the first computing device; processing, at the first computingdevice, the fourth IP packet; and transmitting, by the first computingdevice, the fourth IP packet to the second client device.
 21. The firstcomputing device of claim 20, wherein processing the received second IPpacket and processing the fourth IP packet include performing layer 4and/or layer 7 processing.